Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
otq7hhgWfq.exe

Overview

General Information

Sample name:otq7hhgWfq.exe
renamed because original name is a hash value
Original sample name:e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f.exe
Analysis ID:1659277
MD5:d7ebf3ef787a3fb57a1a0fa793d0b2ab
SHA1:959b4e0de4ee49034442e02fe1a0a5979217b1a4
SHA256:e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f
Tags:exeuser-adrian__luca
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected DarkCloud
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May check the online IP address of the machine
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • otq7hhgWfq.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\otq7hhgWfq.exe" MD5: D7EBF3EF787A3FB57A1A0FA793D0B2AB)
    • MSBuild.exe (PID: 7080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 7084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 2436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{
  "Exfil Mode": "SMTP",
  "Username": "carolina@sanzaniviajes.cl",
  "Password": "Gemelos2008*",
  "Host": "mail.sanzaniviajes.cl"
}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.MSBuild.exe.4034f4.0.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      3.2.MSBuild.exe.400000.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        3.2.MSBuild.exe.400000.1.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          3.2.MSBuild.exe.4034f4.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security

            Sigma Signatures

            System Summary

            barindex
            Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 162.55.60.2, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2436, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49686

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-08T13:31:49.344989+020028032742Potentially Bad Traffic192.168.2.649686162.55.60.280TCP

            Joe Sandbox Signatures

            • AV Detection
            • Compliance
            • Spreading
            • Software Vulnerabilities
            • Networking
            • Key, Mouse, Clipboard, Microphone and Screen Capturing
            • System Summary
            • Data Obfuscation
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: otq7hhgWfq.exeAvira: detected
            Source: 3.2.MSBuild.exe.4034f4.0.raw.unpackMalware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "Username": "carolina@sanzaniviajes.cl", "Password": "Gemelos2008*", "Host": "mail.sanzaniviajes.cl"}
            Source: otq7hhgWfq.exeVirustotal: Detection: 68%Perma Link
            Source: otq7hhgWfq.exeReversingLabs: Detection: 69%
            Source: Submited SampleNeural Call Log Analysis: 97.7%
            Source: otq7hhgWfq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: W.pdb4 source: MSBuild.exe, 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644280DD0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then push ebp
            Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
            Source: unknownDNS query: name: showip.net
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49686 -> 162.55.60.2:80
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
            Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
            Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
            Source: unknownTCP traffic detected without corresponding DNS query: 23.39.37.29
            Source: unknownTCP traffic detected without corresponding DNS query: 23.39.37.29
            Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
            Source: unknownTCP traffic detected without corresponding DNS query: 23.203.176.221
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0045DAE0 __vbaStrCopy,__vbaStrMove,__vbaFixstrConstruct,__vbaNew2,__vbaHresultCheckObj,__vbaHresultCheckObj,__vbaStrToAnsi,InternetOpenA,__vbaSetSystemError,__vbaFreeStrList,__vbaFreeStrList,__vbaFreeObj,__vbaStrToAnsi,InternetOpenUrlA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaLsetFixstr,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,__vbaStrToAnsi,InternetReadFile,__vbaStrToUnicode,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,#631,__vbaStrMove,__vbaLsetFixstr,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaSetSystemError,#598,InternetCloseHandle,__vbaStrCopy,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficDNS traffic detected: DNS query: showip.net
            Source: global trafficDNS traffic detected: DNS query: c.pki.goog
            Source: otq7hhgWfq.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
            Source: otq7hhgWfq.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: otq7hhgWfq.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: otq7hhgWfq.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: otq7hhgWfq.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
            Source: otq7hhgWfq.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: otq7hhgWfq.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: otq7hhgWfq.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: otq7hhgWfq.exeString found in binary or memory: http://ocsp.digicert.com0
            Source: otq7hhgWfq.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: otq7hhgWfq.exeString found in binary or memory: http://ocsp.entrust.net02
            Source: otq7hhgWfq.exeString found in binary or memory: http://ocsp.entrust.net03
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
            Source: otq7hhgWfq.exeString found in binary or memory: http://www.digicert.com/CPS0
            Source: otq7hhgWfq.exeString found in binary or memory: http://www.entrust.net/rpa03
            Source: otq7hhgWfq.exeString found in binary or memory: https://www.entrust.net/rpa0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
            Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0042D634 GetAsyncKeyState,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644278D3C
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427F140
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644280DD0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644279E70
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64428424C
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644277E40
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF6442682B0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF6442636B0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64425DAB0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644263EC0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644278B38
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427F428
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64424C030
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427F820
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64425F450
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644288098
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644277890
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF6442854E0
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644278934
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64424C910
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644265110
            Source: otq7hhgWfq.exeStatic PE information: invalid certificate
            Source: otq7hhgWfq.exeStatic PE information: Section: .cSs ZLIB complexity 1.0003187391493056
            Source: MSBuild.exe, 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: MSBuild.exeBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: MSBuild.exe, MSBuild.exe, 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: F*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/59@3/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
            Source: otq7hhgWfq.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: LoginData.3.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: otq7hhgWfq.exeVirustotal: Detection: 68%
            Source: otq7hhgWfq.exeReversingLabs: Detection: 69%
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeFile read: C:\Users\user\Desktop\otq7hhgWfq.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\otq7hhgWfq.exe "C:\Users\user\Desktop\otq7hhgWfq.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vb6zz.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sxs.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wininet.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iertutil.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: urlmon.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: srvcli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netutils.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: scrrun.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cdosys.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: inetcomm.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msoert2.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: oleacc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: inetres.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: activeds.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: adsldpc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: netapi32.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: logoncli.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mlang.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
            Source: otq7hhgWfq.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: otq7hhgWfq.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: W.pdb4 source: MSBuild.exe, 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: otq7hhgWfq.exeStatic PE information: section name: .gxfg
            Source: otq7hhgWfq.exeStatic PE information: section name: .retplne
            Source: otq7hhgWfq.exeStatic PE information: section name: _RDATA
            Source: otq7hhgWfq.exeStatic PE information: section name: .cSs
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0042C4DC pushfd ; retf 0042h
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1775
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644280DD0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,
            Source: WebData.3.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: WebData.3.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: WebData.3.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: WebData.3.drBinary or memory string: discord.comVMware20,11696487552f
            Source: WebData.3.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: WebData.3.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: WebData.3.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: WebData.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: WebData.3.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: WebData.3.drBinary or memory string: global block list test formVMware20,11696487552
            Source: WebData.3.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: WebData.3.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: WebData.3.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: WebData.3.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: WebData.3.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: WebData.3.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: WebData.3.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: WebData.3.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: WebData.3.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: WebData.3.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: WebData.3.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: WebData.3.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: WebData.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: WebData.3.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: WebData.3.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: WebData.3.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: WebData.3.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: WebData.3.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: WebData.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
            Source: WebData.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: WebData.3.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427CC8C GetProcessHeap,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF64427A5C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644275A24 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF6442760CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF6442760BC SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46A000
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46B000
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11FD008
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLnager
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Manager>>X
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDataqBCEpYiY.txt.3.drBinary or memory string: [07:33:21]<<Program Manager>>
            Source: KeyDatassZkvHjV.txt.3.drBinary or memory string: [07:32:56]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:17]<<Program Manager>>rog
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:57]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:32:07]<<Program Manager>>
            Source: KeyDatagdTFocUN.txt.3.dr, KeyDataOoUJJZNq.txt.3.drBinary or memory string: [07:32:44]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 32:12]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:46]<<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Manager>>m
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDatamlVYIwni.txt.3.dr, KeyDatagsnGvSNx.txt.3.drBinary or memory string: [07:33:43]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:00]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, KeyDatagYBBUdlH.txt.3.drBinary or memory string: [07:32:22]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:48]..Program Manager>>
            Source: KeyDatagLeDBZmr.txt.3.drBinary or memory string: [07:33:31]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51<<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:33:35]<<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:10]<<Program Managern
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageraDrDB_9{D
            Source: KeyDataKnJdmavf.txt.3.dr, KeyDataEtcHnLbZ.txt.3.drBinary or memory string: [07:32:34]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:55]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:12]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:35]<<Program Manager>>
            Source: KeyDatakfZxVugr.txt.3.drBinary or memory string: [07:33:18]<<Program Manager>>
            Source: KeyDataHwfLnYDI.txt.3.dr, KeyDatagdTFocUN.txt.3.drBinary or memory string: [07:32:42]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :17]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:14]<<Program Manager>>
            Source: KeyDataRYjHhwOi.txt.3.drBinary or memory string: [07:33:41]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 32:09]<<Program Manager>>
            Source: KeyDataajmkkaQO.txt.3.dr, KeyDataaDaoQDcx.txt.3.drBinary or memory string: [07:32:58]<<Program Manager>>
            Source: KeyDatadHcuNbSn.txt.3.drBinary or memory string: [07:33:23]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:59]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:21]<<Program Manager]),b&1024&&I(a,b&-1025)}
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDataKTXRboMM.txt.3.dr, KeyDatajBITEPQI.txt.3.drBinary or memory string: [07:33:06]<<Program Manager>>
            Source: KeyDatagFOrBQhC.txt.3.drBinary or memory string: [07:32:24]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:07]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDataqMhZsdev.txt.3.dr, KeyDatajBITEPQI.txt.3.drBinary or memory string: [07:33:08]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:50]<<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDatakSCFobaw.txt.3.dr, KeyDataUVYuyDby.txt.3.drBinary or memory string: [07:33:25]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :50]<<Program Manager>>
            Source: KeyDataZlhyrGYo.txt.3.drBinary or memory string: [07:32:40]<<Program Manager>>
            Source: KeyDatatRftuieL.txt.3.dr, KeyDataacdGrBJe.txt.3.drBinary or memory string: [07:33:16]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:54]<<Program Manager>>tyle.
            Source: KeyDataWieurtwG.txt.3.drBinary or memory string: [07:32:32]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:49]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDataeluZeHiX.txt.3.dr, KeyDataUhAdMbSp.txt.3.drBinary or memory string: [07:33:33]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:52]<<Program Manager>>
            Source: KeyDatahjhSfKER.txt.3.dr, KeyDatapqTrPoYq.txt.3.drBinary or memory string: [07:32:28]<<Program Manager>>
            Source: KeyDataDJvQaLqt.txt.3.drBinary or memory string: [07:33:04]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLcl"rQ
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:48]<<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, KeyDataKgxClZSJ.txt.3.dr, KeyDataWJcbZXmL.txt.3.drBinary or memory string: [07:33:37]<<Program Manager>>
            Source: KeyDatahjhSfKER.txt.3.drBinary or memory string: [07:32:27]<<Program Manager>>
            Source: KeyDataDPJhGdTS.txt.3.dr, KeyDatakaKlaZMu.txt.3.drBinary or memory string: [07:32:49]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 31:54]<<Program Manager>>
            Source: KeyDataWCRELHCL.txt.3.drBinary or memory string: [07:32:30]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, KeyDataWJcbZXmL.txt.3.drBinary or memory string: [07:33:36]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:51]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :33:24]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLnager~
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :22]<<Program Manager>>
            Source: KeyDataDPJhGdTS.txt.3.drBinary or memory string: [07:32:48]<<Program Manager>>
            Source: KeyDataKTXRboMM.txt.3.dr, KeyDataDJvQaLqt.txt.3.drBinary or memory string: [07:33:05]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:50]<<Program Manager>>
            Source: KeyDatahjhSfKER.txt.3.dr, KeyDataHDuZeGmL.txt.3.drBinary or memory string: [07:32:26]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertxtjes.cl"r
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageriviajes.cl"r-
            Source: KeyDatadbLOyjmx.txt.3.drBinary or memory string: [07:33:02]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:32:04]<<Program Manager>>
            Source: KeyDataDPJhGdTS.txt.3.dr, KeyDatadIYIXuMH.txt.3.drBinary or memory string: [07:32:47]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:09]<<Program Manager>>
            Source: KeyDatahuNpZoeC.txt.3.dr, KeyDatadbLOyjmx.txt.3.drBinary or memory string: [07:33:01]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:08]<<Program Manager
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageriviajes.cl"r6
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:54]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmp, KeyDataEzrWaFaj.txt.3.drBinary or memory string: [07:33:39]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:53]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:10]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 32:14]<<Program Manager>>
            Source: KeyDatapqTrPoYq.txt.3.drBinary or memory string: [07:32:29]<<Program Manager>>
            Source: KeyDataItphaMlI.txt.3.drBinary or memory string: [07:33:20]<<Program Manager>>
            Source: KeyDatadbLOyjmx.txt.3.dr, KeyDataDJvQaLqt.txt.3.drBinary or memory string: [07:33:03]<<Program Manager>>
            Source: KeyDatadIYIXuMH.txt.3.drBinary or memory string: [07:32:46]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:38]<<Program Manager>>
            Source: KeyDataOoUJJZNq.txt.3.dr, KeyDatadIYIXuMH.txt.3.drBinary or memory string: [07:32:45]<<Program Manager>>
            Source: KeyDatabPFPDGgx.txt.3.drBinary or memory string: [07:33:10]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:31:52]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:23]<<Program Manager>>xt
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :48]<<Program Manager>>
            Source: KeyDataWieurtwG.txt.3.dr, KeyDataEtcHnLbZ.txt.3.drBinary or memory string: [07:32:33]<<Program Manager>>
            Source: KeyDatabPFPDGgx.txt.3.dr, KeyDataqMhZsdev.txt.3.drBinary or memory string: [07:33:09]<<Program Manager>>
            Source: KeyDatassZkvHjV.txt.3.dr, KeyDatatMOlnxDj.txt.3.drBinary or memory string: [07:32:55]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertxtjes.cl"CDh
            Source: KeyDatagLeDBZmr.txt.3.dr, KeyDataUhAdMbSp.txt.3.drBinary or memory string: [07:33:32]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageriviajes.cl"nt
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:11]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:12]<<Program Manager
            Source: KeyDataKnJdmavf.txt.3.drBinary or memory string: [07:32:35]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:56]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager08*l
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:13]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLager)
            Source: KeyDataItphaMlI.txt.3.dr, KeyDatakfZxVugr.txt.3.drBinary or memory string: [07:33:19]<<Program Manager>>
            Source: KeyDatassZkvHjV.txt.3.dr, KeyDataaDaoQDcx.txt.3.drBinary or memory string: [07:32:57]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDatamlVYIwni.txt.3.drBinary or memory string: [07:33:44]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLclrr
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzpbbvrLcl"
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Manager>>03]|H
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:21]<<Program Manager>>
            Source: KeyDatahuNpZoeC.txt.3.dr, KeyDataajmkkaQO.txt.3.drBinary or memory string: [07:33:00]<<Program Manager>>
            Source: KeyDatagdTFocUN.txt.3.drBinary or memory string: [07:32:43]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDataqBCEpYiY.txt.3.dr, KeyDatadHcuNbSn.txt.3.drBinary or memory string: [07:33:22]<<Program Manager>>
            Source: KeyDataWCRELHCL.txt.3.dr, KeyDataWieurtwG.txt.3.drBinary or memory string: [07:32:31]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDatakSCFobaw.txt.3.dr, KeyDatadHcuNbSn.txt.3.drBinary or memory string: [07:33:24]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :33:17]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: KeyDatajBITEPQI.txt.3.drBinary or memory string: [07:33:07]<<Program Manager>>
            Source: KeyDatagFOrBQhC.txt.3.dr, KeyDataHDuZeGmL.txt.3.drBinary or memory string: [07:32:25]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:08]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDataRYjHhwOi.txt.3.dr, KeyDataEzrWaFaj.txt.3.drBinary or memory string: [07:33:40]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:48]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:21]<<Program Manager>>nager
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDataeluZeHiX.txt.3.drBinary or memory string: [07:33:34]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Managerg
            Source: KeyDataacdGrBJe.txt.3.dr, KeyDatakfZxVugr.txt.3.drBinary or memory string: [07:33:17]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDatagsnGvSNx.txt.3.drBinary or memory string: [07:33:42]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<<Program Manager>
            Source: KeyDataHwfLnYDI.txt.3.dr, KeyDataZlhyrGYo.txt.3.drBinary or memory string: [07:32:41]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:28]<<Program Manager>>1:59
            Source: KeyDataajmkkaQO.txt.3.drBinary or memory string: [07:32:59]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:31:58]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:15]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:50]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDatagYBBUdlH.txt.3.dr, KeyDatagFOrBQhC.txt.3.drBinary or memory string: [07:32:23]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:06]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:32:21]<<Program Manager>> Man
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:32:12]<<Program Manager>>
            Source: KeyDataZlhyrGYo.txt.3.dr, KeyDatagSoeCaQN.txt.3.drBinary or memory string: [07:32:39]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:17]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 33:50]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 32:07]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:48]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageriviajes.cl"g
            Source: KeyDatatRftuieL.txt.3.drBinary or memory string: [07:33:15]<<Program Manager>>
            Source: KeyDatadtDGQFUV.txt.3.dr, KeyDatakaKlaZMu.txt.3.drBinary or memory string: [07:32:50]<<Program Manager>>
            Source: KeyDataUVYuyDby.txt.3.drBinary or memory string: [07:33:26]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:16]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:05]<<Program Manager>>
            Source: KeyDatagSoeCaQN.txt.3.drBinary or memory string: [07:32:38]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDataTGZXYKLc.txt.3.drBinary or memory string: [07:33:28]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 13]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:18]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageriviajes.cl"r
            Source: KeyDatadtDGQFUV.txt.3.dr, KeyDatarRwmjLPy.txt.3.drBinary or memory string: [07:32:52]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:39]<<Program Manager>_1v*
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDatatRftuieL.txt.3.dr, KeyDatatkRDOvjQ.txt.3.drBinary or memory string: [07:33:14]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:32:10]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, KeyDatadtDGQFUV.txt.3.drBinary or memory string: [07:32:51]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:04]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 33:17]<<Program Manager>>
            Source: KeyDataTGZXYKLc.txt.3.dr, KeyDataUVYuyDby.txt.3.drBinary or memory string: [07:33:27]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, KeyDataboGlNBVG.txt.3.drBinary or memory string: [07:33:49]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:46]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:20]<<Program Manager>>
            Source: KeyDataHdtBYxjv.txt.3.drBinary or memory string: [07:33:29]<<Program Manager>>
            Source: KeyDatatkRDOvjQ.txt.3.drBinary or memory string: [07:33:13]<<Program Manager>>
            Source: KeyDatarRwmjLPy.txt.3.dr, KeyDatatMOlnxDj.txt.3.drBinary or memory string: [07:32:53]<<Program Manager>>
            Source: KeyDataKnJdmavf.txt.3.dr, KeyDataRxkenERx.txt.3.drBinary or memory string: [07:32:36]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001724000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:31:57]<<Program Manager>>7g~N
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDataHdtBYxjv.txt.3.dr, KeyDatagLeDBZmr.txt.3.drBinary or memory string: [07:33:30]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:19]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:03]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:32:14]<<Program Manager>>
            Source: KeyDataNZTqSdFw.txt.3.drBinary or memory string: [07:33:12]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 11]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, KeyDataUwTkEPSD.txt.3.dr, KeyDatamlVYIwni.txt.3.drBinary or memory string: [07:33:45]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:02]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDataUdffYmGS.txt.3.drBinary or memory string: [07:33:47]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07:31:56]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [7:33:32<<Program Manager>
            Source: KeyDataRxkenERx.txt.3.dr, KeyDatagSoeCaQN.txt.3.drBinary or memory string: [07:32:37]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [07:33:51]<Program Manager>
            Source: MSBuild.exe, 00000003.00000002.2444118209.0000000001730000.00000004.00000020.00020000.00000000.sdmp, KeyDatarEXympQg.txt.3.drBinary or memory string: [07:32:01]<<Program Manager>>
            Source: MSBuild.exe, 00000003.00000002.2444118209.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, KeyDatabPFPDGgx.txt.3.dr, KeyDataNZTqSdFw.txt.3.drBinary or memory string: [07:33:11]<<Program Manager>>
            Source: KeyDatatMOlnxDj.txt.3.drBinary or memory string: [07:32:54]<<Program Manager>>
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644287EB0 cpuid
            Source: C:\Users\user\Desktop\otq7hhgWfq.exeCode function: 0_2_00007FF644275F04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 3.2.MSBuild.exe.4034f4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.4034f4.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 3.2.MSBuild.exe.4034f4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.MSBuild.exe.4034f4.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		312
            Process Injection            		312
            Process Injection            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Email Collection            		12
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		11
            Input Capture            		21
            Security Software Discovery            		Remote Desktop Protocol11
            Input Capture            		2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Software Packing            		1
            Credentials in Registry            		1
            Process Discovery            		SMB/Windows Admin Shares1
            Archive Collected Data            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Application Window Discovery            		Distributed Component Object Model1
            Data from Local System            		3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659277 Sample: otq7hhgWfq.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 18 showip.net 2->18 20 pki-goog.l.google.com 2->20 22 2 other IPs or domains 2->22 26 Found malware configuration 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 3 other signatures 2->32 7 otq7hhgWfq.exe 2->7         started        signatures3 process4 signatures5 34 Writes to foreign memory regions 7->34 36 Allocates memory in foreign processes 7->36 38 Injects a PE file into a foreign processes 7->38 10 MSBuild.exe 72 7->10         started        14 MSBuild.exe 7->14         started        16 MSBuild.exe 7->16         started        process6 dnsIp7 24 showip.net 162.55.60.2, 49686, 80 ACPCA United States 10->24 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->40 42 Tries to steal Mail credentials (via file / registry access) 10->42 44 Tries to harvest and steal browser information (history, passwords, etc) 10->44 signatures8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            otq7hhgWfq.exe68%VirustotalBrowse
            otq7hhgWfq.exe69%ReversingLabsWin64.Trojan.Leonem
            otq7hhgWfq.exe100%AviraHEUR/AGEN.1361736
            SAMPLE100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		high
              showip.net
              		162.55.60.2
              		truefalse
                		high
                pki-goog.l.google.com
                		142.250.80.99
                		truefalse
                  		high
                  c.pki.goog
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://c.pki.goog/r/gsr1.crlfalse
                      		high
                      http://c.pki.goog/r/r4.crlfalse
                        		high
                        http://showip.net/false
                          		high
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://aia.entrust.net/ts1-chain256.cer01otq7hhgWfq.exefalse
                            		high
                            http://crl.entrust.net/ts1ca.crl0otq7hhgWfq.exefalse
                              		high
                              http://ocsp.entrust.net03otq7hhgWfq.exefalse
                                		high
                                http://ocsp.entrust.net02otq7hhgWfq.exefalse
                                  		high
                                  http://www.entrust.net/rpa03otq7hhgWfq.exefalse
                                    		high
                                    http://crl.entrust.net/2048ca.crl0otq7hhgWfq.exefalse
                                      		high
                                      https://www.entrust.net/rpa0otq7hhgWfq.exefalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        162.55.60.2
                                        		showip.netUnited States
                                        		35893ACPCAfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1659277
                                        Start date and time:2025-04-08 13:30:54 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 4m 40s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:14
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:otq7hhgWfq.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@7/59@3/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 88%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 23.204.23.20, 172.202.163.200, 199.232.210.172, 13.95.31.18, 13.85.23.206
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        07:32:03API Interceptor25501x Sleep call for process: MSBuild.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDJvQaLqt.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.272509351228049
                                        Encrypted:false
                                        SSDEEP:6:tSWE1Xp0+E1Xp0+E1Xp0+7Z0+7Z0+7Z0+7Z0+7Z0+7Z0+7Z0+6dpx:tlmp0+mp0+mp0+90+90+90+90+90+905
                                        MD5:C47959B8242FE852F0BDC9178F6DC45C
                                        SHA1:B98E2FB49A470CF3B25F090F2B0BA23A9891D98D
                                        SHA-256:AA9E8D86273F6BCF7739360CF0BDD72952119A4EAFE8EBFCDF894D59770EB0FE
                                        SHA-512:4A6FE2BA0B987D8063CD62C6FD27AB0C19DC70EF1913B3A1A7970E17514A2AF6F4074C17E77FD93C4D6F4607CA189CD1F35366E0FCF93116B5267824B9A6A275
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:03]<<Program Manager>>....[07:33:03]<<Program Manager>>....[07:33:03]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:04]<<Program Manager>>....[07:33:05]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDPJhGdTS.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.401268822386593
                                        Encrypted:false
                                        SSDEEP:6:tSWd0+d0+d0+K0+K0+K0+K0+K0+K0+K0+L1Zx:tld0+d0+d0+K0+K0+K0+K0+K0+K0+K0Y
                                        MD5:A7762F2B6C609B1D20B5B2F7120B1B6F
                                        SHA1:2A15E49BC8124F2FF65AB35A755FA5D7E85684F2
                                        SHA-256:22B0FA3D6D6F1DA6809CB525C3A2877A24E3128BC4A06AF1CEE1FDC6E5914119
                                        SHA-512:464E37A077A8407469764B21BB5DAD08D5379C561EAABA78FF95A3EDFADF4585E2AF7888DA3029051483C8716F0FA942E60A8704464C58CB9A86FF3087B04CA5
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:32:47]<<Program Manager>>....[07:32:47]<<Program Manager>>....[07:32:47]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:48]<<Program Manager>>....[07:32:49]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataEtcHnLbZ.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.304278802761717
                                        Encrypted:false
                                        SSDEEP:6:tSW2f0+2f0+2f0+2f0+2f0+2f0+eW0+eW0+eW0+eW0+eWx:tl2f0+2f0+2f0+2f0+2f0+2f0+eW0+ew
                                        MD5:2D4CD0D972C816D292FE201186958506
                                        SHA1:04D6E12D15BFDE6E50DC4927C8C805DF940E9B56
                                        SHA-256:5D347E5F612C4A307109E19C002441376BB95C8337549BF883D6B74FBE475D18
                                        SHA-512:6B26C833E12BC2CC06D30FB0FCBB32FEADC3524750084C7B022D91EC427735D6DD14D4A48CEBBFD8617F2750495CC12FEAE52B52DB86723C139D40576F55AEF4
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:34]<<Program Manager>>....[07:32:34]<<Program Manager>>....[07:32:34]<<Program Manager>>....[07:32:34]<<Program Manager>>....[07:32:34]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataEzrWaFaj.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.297135593859353
                                        Encrypted:false
                                        SSDEEP:6:tSWON0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+YAdp0+TZ0+TZ0+TZx:tlI0+1dp0+1dp0+1dp0+1dp0+1dp0+1J
                                        MD5:D1F0DC87B26629934BF22450AE4C6D0B
                                        SHA1:1E873F896BC25919A76A8678DE7FC875C5275EE8
                                        SHA-256:F95016BBB890E92284C783737737F6AE996C8A0D9DB20A6413BA213EC1232B48
                                        SHA-512:D789D2A47D44D02B71184C92879BF9E2659BA533C0FB408C3BA74123C5222E7CB2ECA728D8F77514398DE0560E17B7912BF1372EE9999B3B9872E938E9721754
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:38]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:39]<<Program Manager>>....[07:33:40]<<Program Manager>>....[07:33:40]<<Program Manager>>....[07:33:40]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataHDuZeGmL.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.362098822605423
                                        Encrypted:false
                                        SSDEEP:6:tSWvXp0+vXp0+vXp0+vXp0+vXp0+C0+C0+C0+C0+C0+Cx:tlvZ0+vZ0+vZ0+vZ0+vZ0+C0+C0+C0+C
                                        MD5:1A0FA39FBA370C6AD6352E4B2984D0DD
                                        SHA1:6B71F687D515C6A4F8533F1FB1F111D6ADEA253A
                                        SHA-256:CF60A966D1DD6548E569867DEC0EC3FEA732AC7AE294599DD18B81819601D2BF
                                        SHA-512:530AC6110733940503D7AB1384D6BDB5F00FF3D1D2B2C2FD0FB645EA67B193DB0467643661ED3E29AA65F521F47786D74A0F573231D9CBC329A771DD24D293A1
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:32:25]<<Program Manager>>....[07:32:25]<<Program Manager>>....[07:32:25]<<Program Manager>>....[07:32:25]<<Program Manager>>....[07:32:25]<<Program Manager>>....[07:32:26]<<Program Manager>>....[07:32:26]<<Program Manager>>....[07:32:26]<<Program Manager>>....[07:32:26]<<Program Manager>>....[07:32:26]<<Program Manager>>....[07:32:26]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataHdtBYxjv.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.310354046253363
                                        Encrypted:false
                                        SSDEEP:6:tSWQf0+Qf0+Qf0+Qf0+Qf0+Qf0+Qf0+A0+A0+A0+Ax:tlQf0+Qf0+Qf0+Qf0+Qf0+Qf0+Qf0+AS
                                        MD5:CDEB921DAD317E3E339E206A0FF89C04
                                        SHA1:A7871923C1E7EA80A95EDBC991E7319911918A60
                                        SHA-256:0A6A0870A201A7D937FFEB38AD7B047557D30CF2E853EE861F103A0B4DFA07E6
                                        SHA-512:5EEEAC6DF6EBD172D5D7D9F4E007460345FA519109EDBD051B603A719F5DE32355089F96B0E704F2CF2286600AFF421261BAEBEDF32D723B5C616E3EC191E569
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:29]<<Program Manager>>....[07:33:30]<<Program Manager>>....[07:33:30]<<Program Manager>>....[07:33:30]<<Program Manager>>....[07:33:30]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataHwfLnYDI.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.383210085083239
                                        Encrypted:false
                                        SSDEEP:6:tSWVjp0+Vjp0+Vjp0+Vjp0+Vjp0+Vjp0+uLZ0+uLZ0+uLZ0+uLZ0+uLZx:tlj0+j0+j0+j0+j0+j0+uN0+uN0+uN0K
                                        MD5:7F377A3FB9141942B8A6E4757F95B900
                                        SHA1:A2A46C66D4ADA27722E3CE10ABBB8A62FA496F21
                                        SHA-256:79011C511DBC74B549356E62FB03EE8EC9EC4831EF160DA8C582A2FEE76A6941
                                        SHA-512:2616ADDF0DAF61E1303F2FD3B97FCD8A0429D86E7A2F0F365C9CE7CEF3A593C0528539E97812D99BB21DE8B1ACFC2A455E55B8C1D92BBFC0147D0D8CE7AEA2F0
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:32:41]<<Program Manager>>....[07:32:41]<<Program Manager>>....[07:32:41]<<Program Manager>>....[07:32:41]<<Program Manager>>....[07:32:41]<<Program Manager>>....[07:32:41]<<Program Manager>>....[07:32:42]<<Program Manager>>....[07:32:42]<<Program Manager>>....[07:32:42]<<Program Manager>>....[07:32:42]<<Program Manager>>....[07:32:42]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataItphaMlI.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.345808164346669
                                        Encrypted:false
                                        SSDEEP:12:tlCCp0+CCp0+CCp0+CCp0+CCp0+/0+/0+/0+/0+/0+/0+/x:tlx++x++x++x++x++8+8+8+8+8+8+Z
                                        MD5:C48E68C75C42D965017AA06209CABA92
                                        SHA1:65EA3E4AEC695A2369CC3AEA427C54C8208029E9
                                        SHA-256:E00883A9D18F8C2985313AFA67DF8BAAE553B76D2AC3250313504471EC5148FF
                                        SHA-512:15A2D5F007B2B396D3858059BEBA7498CA5C01BAEAAE1301749BCECE49BDC8883D2C42EF18F8CFE76FCD32581E5C6F8AC341D0E1A86174287A0EB77E886F5C84
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:19]<<Program Manager>>....[07:33:19]<<Program Manager>>....[07:33:19]<<Program Manager>>....[07:33:19]<<Program Manager>>....[07:33:19]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>....[07:33:20]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKTXRboMM.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.300027007245535
                                        Encrypted:false
                                        SSDEEP:6:tSW6dp0+6dp0+6dp0+6dp0+6dp0+6dp0+6dp0+1Z0+1Z0+1Z0+1Zx:tl6f0+6f0+6f0+6f0+6f0+6f0+6f0+ff
                                        MD5:8E39C0F417846FAF977CC63ACDA8B0FB
                                        SHA1:95A64687A2DB1A55F7DCF567912C7BCDC8999FDE
                                        SHA-256:32944E23F67867D8DA352AC1C61A6478D1C080E2127B62AE2228E8AAE8E3454A
                                        SHA-512:678F1883A07607620D138249C4C6427B45616B705A58B5157893329E8038A97D706D171858CEB88225FF0CAD680C2FB9E23096220FEFAA0A10A052A8151217D4
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:05]<<Program Manager>>....[07:33:06]<<Program Manager>>....[07:33:06]<<Program Manager>>....[07:33:06]<<Program Manager>>....[07:33:06]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKgxClZSJ.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.234751417603449
                                        Encrypted:false
                                        SSDEEP:6:tSWWCp0+WCp0+WCp0+WCp0+WCp0+WCp0+ON0+ON0+ON0+ON0+ONx:tlWW0+WW0+WW0+WW0+WW0+WW0+I0+I0h
                                        MD5:1F12CA40F1ACD9C56260ED7D0F6CC5EC
                                        SHA1:AC3181DB90E85EB8DD6A04E60ACFE2C728D755B0
                                        SHA-256:FE55443816319D9BC9C527D00F4C0AAC510ECF6F2E972009430599F6124C582E
                                        SHA-512:DEB9EAB83470C8FAE610C7FD94C59498C47A89CD1A6BA8559E35455AB8FF97B77C9A706BB3AA1ED1A8A117F9EA71F0B9625114D68F07D8883A188133AE0A4306
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:33:37]<<Program Manager>>....[07:33:37]<<Program Manager>>....[07:33:37]<<Program Manager>>....[07:33:37]<<Program Manager>>....[07:33:37]<<Program Manager>>....[07:33:37]<<Program Manager>>....[07:33:38]<<Program Manager>>....[07:33:38]<<Program Manager>>....[07:33:38]<<Program Manager>>....[07:33:38]<<Program Manager>>....[07:33:38]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKnJdmavf.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.373929164813413
                                        Encrypted:false
                                        SSDEEP:12:tleW0+eW0+O0+O0+O0+O0+O0+O0+O0+90+90+9x:tle7+e7+j+j+j+j+j+j+j+q+q+f
                                        MD5:E080094F4269B17E04593E7B518BE543
                                        SHA1:E0C9F72F1AF0C9DB8AC2FF310A6F7FAB57006F66
                                        SHA-256:1E294592088C1B1E1792AA8B0E77F6231FB815DD7A99D3BEAA434BC2AF357675
                                        SHA-512:149ADE73FB25C9212D7C26A46AF4506C19AA72FDD739CC193AD87F7C760ED3E55EB0AF47D46C662F677BDB89758B0D19E5803550FBF26AA6FC0CBB0B1D5619E9
                                        Malicious:false
                                        Reputation:low
                                        Preview:..[07:32:34]<<Program Manager>>....[07:32:34]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:35]<<Program Manager>>....[07:32:36]<<Program Manager>>....[07:32:36]<<Program Manager>>....[07:32:36]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataNZTqSdFw.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.324150299180992
                                        Encrypted:false
                                        SSDEEP:12:tlKAf0+KAf0+KAf0+KAf0+KAf0++N0++N0++N0++N0++N0++N0++Nx:tlY+Y+Y+Y+Y++a++a++a++a++a++a++P
                                        MD5:8E5EF3AC406C6A354114E2009FB09199
                                        SHA1:3A0E6A4EB786A6FA2D9E6ADDEA6EE6A700044100
                                        SHA-256:E64B2AEA76E88DC042FA9ADB7D1D69864B690FD19AE92D8EE53506160B6CCAE9
                                        SHA-512:561EEBF3DF2F77C6931CFC1FD8563282F1278570F496E2B241AB94E995D337E006CF7BB2355E6DE807777960C6D0F8FFF4F3C5BB42EFCF8362069D745678B35B
                                        Malicious:false
                                        Preview:..[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>....[07:33:12]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOoUJJZNq.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.383210085083239
                                        Encrypted:false
                                        SSDEEP:6:tSWsN0+sN0+sN0+sN0+sN0+/0+/0+/0+/0+/0+/x:tlsN0+sN0+sN0+sN0+sN0+/0+/0+/0+N
                                        MD5:24FBF594E8FC81DB353A0CEF232E4E22
                                        SHA1:086D002514E116FFEFBC03FA95177B94EE96F5D8
                                        SHA-256:E5A44D5585C1FA69B3D34BE9E498017C112C647A4C00A20048C347F7B02A56F9
                                        SHA-512:C9C640DB7A1367024241AA704E78C4EF5B5E7D184A5B40E471E384E5032450FFEE6E9DE2FE1CB0F29634729DB6497CDB0B0274AA82505393E60980B840A87D9A
                                        Malicious:false
                                        Preview:..[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:45]<<Program Manager>>....[07:32:45]<<Program Manager>>....[07:32:45]<<Program Manager>>....[07:32:45]<<Program Manager>>....[07:32:45]<<Program Manager>>....[07:32:45]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataRYjHhwOi.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.326061136366424
                                        Encrypted:false
                                        SSDEEP:6:tSWTZ0+TZ0+TZ0+TZ0+Ap0+Ap0+Ap0+Ap0+Ap0+Ap0+Apx:tlF0+F0+F0+F0+c0+c0+c0+c0+c0+c03
                                        MD5:E92088EA99A2716E3E27D62F7C1E94D9
                                        SHA1:44496D076858FCCBC7D4F0FFF8FB0297CBCB67AB
                                        SHA-256:32F01873BEA1F2769636261915EDD08F252B32535CEADC47F06B61097F47FCAE
                                        SHA-512:8B95AAB01598EA3775A6F3C2D93685CB5AB6131A7E1F8AEB8C89BABA5D13682CFB7976C42FC502CFDD57EB146BEFC0F6002D584867E525C24A0C68013908CAB6
                                        Malicious:false
                                        Preview:..[07:33:40]<<Program Manager>>....[07:33:40]<<Program Manager>>....[07:33:40]<<Program Manager>>....[07:33:40]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>....[07:33:41]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataRxkenERx.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.3128275092660635
                                        Encrypted:false
                                        SSDEEP:6:tSWcW0+cW0+cW0+cW0+Yp0+Yp0+Yp0+Yp0+Yp0+Yp0+Ypx:tl90+90+90+90+U0+U0+U0+U0+U0+U0D
                                        MD5:03B5994DD57BBD36AEE509218632542A
                                        SHA1:A87735F649DDEABDD0F9AA378FF09E7FDEFB8FBB
                                        SHA-256:405A83D2232BB419CEB6D4F214FDB0582CA4C5CCB52B68980D58EAB6821CD7A5
                                        SHA-512:7A7960A45C4C63E4BD15CBB16205E0C4AA684A4C897E2EA879BEB563FD7BB94811DF1FFF7EABCADF7A0F4B74C8E4713B865C7355379A11810052574B22F26745
                                        Malicious:false
                                        Preview:..[07:32:36]<<Program Manager>>....[07:32:36]<<Program Manager>>....[07:32:36]<<Program Manager>>....[07:32:36]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>....[07:32:37]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataTGZXYKLc.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.326061136366423
                                        Encrypted:false
                                        SSDEEP:6:tSWm1Z0+m1Z0+m1Z0+m1Z0+dZ0+dZ0+dZ0+dZ0+dZ0+dZ0+dZx:tlyZ0+yZ0+yZ0+yZ0+dZ0+dZ0+dZ0+d9
                                        MD5:26BA895928CD75513402D31D4D949304
                                        SHA1:438EA470758D7E9A0E5E64AAEA5A03F7A087E48F
                                        SHA-256:0EC972C2984EA38C600732AA9D09738591A5335DE12D4F5D797B80A1C0CF5B71
                                        SHA-512:A97AA6353872A0329AEB8B474FFF6E7D33FF28ABFCC7B9F92E7FF671C0AB6B981AF480C34835F199901E6CFB93906C3158553F24C5545A686EC1521D33CBC71C
                                        Malicious:false
                                        Preview:..[07:33:27]<<Program Manager>>....[07:33:27]<<Program Manager>>....[07:33:27]<<Program Manager>>....[07:33:27]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>....[07:33:28]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUVYuyDby.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.340662761780532
                                        Encrypted:false
                                        SSDEEP:6:tSW8Xp0+h0+h0+h0+h0+h0+h0+h0+m1Z0+m1Z0+m1Zx:tl8Z0+h0+h0+h0+h0+h0+h0+h0+yZ0+N
                                        MD5:9027C8945A680EA8AFDD96B32326F7A0
                                        SHA1:65321CE86DD9FE6E7FBD06B6ED54D2DE73C657EB
                                        SHA-256:F62844E6EBBABB0035B7D43C1B7BED810F478C40A0B492002D292259021AF13B
                                        SHA-512:C175EE43ECB2649CDE67BA7A64707334551EC28564A720C53DA66570AD566D4B3ADB82BCD12EB60B10051A5A6D5EF9B99DD73CAAEF266BC3C235B7CF8605FC8D
                                        Malicious:false
                                        Preview:..[07:33:25]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:26]<<Program Manager>>....[07:33:27]<<Program Manager>>....[07:33:27]<<Program Manager>>....[07:33:27]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUdffYmGS.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.328374648923587
                                        Encrypted:false
                                        SSDEEP:12:tlL0+L0+a0+a0+a0+a0+a0+a0+a0+t0+t0+tx:tlg+g+X+X+X+X+X+X+X+6+6+v
                                        MD5:6EF2D1F6CA5D9490E3B7DC67D921C8F7
                                        SHA1:088980867243A5A72EDB30104A49584362E9808D
                                        SHA-256:5824B41C93E9C010675FBA63910EE68CBF1929F0A08B2817E24825A00B28059C
                                        SHA-512:484AAA159921255E07F786A248424F680982CC775A8047301927EBA1AB10D94B2963F3EE9100DD23781188BFC83EEC06F327B114611C63CD2D02BA0288E9B06C
                                        Malicious:false
                                        Preview:..[07:33:46]<<Program Manager>>....[07:33:46]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:47]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUhAdMbSp.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):330
                                        Entropy (8bit):4.216045112342437
                                        Encrypted:false
                                        SSDEEP:6:tSWq0+q0+q0+q0+q0+SUN0+SUN0+SUN0+SUN0+SUNx:tlq0+q0+q0+q0+q0+SUN0+SUN0+SUN0E
                                        MD5:28FE2087B941B3926C7B8207CAE36DF4
                                        SHA1:B90D7017DA0850E878A539B6B98208B5DDEA87BF
                                        SHA-256:561774D5BF5403CE21B79F45B0B4B99D50F05998F2419674A42D17FFECD72DF5
                                        SHA-512:5291F65889D318125DEE26639BC96A652892417B6771255218DC921306AFC64D52C05C3889CCF97326308E39011E792454A5373EEF3D72C6C8A6DB672D8791B1
                                        Malicious:false
                                        Preview:..[07:33:32]<<Program Manager>>....[07:33:32]<<Program Manager>>....[07:33:32]<<Program Manager>>....[07:33:32]<<Program Manager>>....[07:33:32]<<Program Manager>>....[07:33:33]<<Program Manager>>....[07:33:33]<<Program Manager>>....[07:33:33]<<Program Manager>>....[07:33:33]<<Program Manager>>....[07:33:33]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUwTkEPSD.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.362098822605423
                                        Encrypted:false
                                        SSDEEP:6:tSW+f0++f0++f0++f0++f0++f0+L0+L0+L0+L0+Lx:tl+f0++f0++f0++f0++f0++f0+L0+L00
                                        MD5:21C6EA43BD6FEF37A35E3153644EEFE2
                                        SHA1:3E2E8FC14CD30B88C99B848DEE846DEEFAD3D873
                                        SHA-256:37219030D6D8B1EA2043F51250263976243E78F6411EBD777AADF44DD7EC8932
                                        SHA-512:5F0545970381D12E50FF22D1BB80E9FA0E0A3E846F0525FB75BD6F477A64B05C75631B7B8F35970C797906681656FD19D1A8534B715C671C4816BDAA3A4590E4
                                        Malicious:false
                                        Preview:..[07:33:45]<<Program Manager>>....[07:33:45]<<Program Manager>>....[07:33:45]<<Program Manager>>....[07:33:45]<<Program Manager>>....[07:33:45]<<Program Manager>>....[07:33:45]<<Program Manager>>....[07:33:46]<<Program Manager>>....[07:33:46]<<Program Manager>>....[07:33:46]<<Program Manager>>....[07:33:46]<<Program Manager>>....[07:33:46]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWCRELHCL.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.3128275092660635
                                        Encrypted:false
                                        SSDEEP:6:tSWaW0+aW0+aW0+aW0+aW0+aW0+aW0+Ef0+Ef0+Ef0+Efx:tlaW0+aW0+aW0+aW0+aW0+aW0+aW0+Sg
                                        MD5:5B3019AF824743F188381CBE2977135F
                                        SHA1:55DF80A52D16F3BE4A29F45416B29EF8CFFD26AE
                                        SHA-256:08BA8A1957AAD6FB2B31AC223D20C19BF92A4354CD16D6A05FA44E3B91A5F68E
                                        SHA-512:2424F34BDA07780EDC67569E7D2C217273A21F52D5E05015ACF99FDFD67AFA6FFFD8D6A0A22D70A52CBCF66657087CF81D9069B41DEA844D51F7E538B4695757
                                        Malicious:false
                                        Preview:..[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:30]<<Program Manager>>....[07:32:31]<<Program Manager>>....[07:32:31]<<Program Manager>>....[07:32:31]<<Program Manager>>....[07:32:31]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWJcbZXmL.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.27241143636508
                                        Encrypted:false
                                        SSDEEP:6:tSWUUN0+UUN0+UUN0+EN0+EN0+EN0+EN0+EN0+EN0+EN0+WCpx:tlPN0+PN0+PN0+G0+G0+G0+G0+G0+G0L
                                        MD5:EB09138E7F676D5C9730E150E2FEBD50
                                        SHA1:FA583CFFADBBBF1E36261E243C5F060B216E1FE5
                                        SHA-256:BC2ADD6522EC71D3CAAB2187262D5473ECA6FA8BC90296A00F71853E54547EE4
                                        SHA-512:C60AA0324C4607E7989FB06570A5EFD6F8ADD6565E6910A7A4968146ED909169B0F449470C3319CF4C67624D7AB7FC74B0ED628390DC6868F2E8477C74F0532B
                                        Malicious:false
                                        Preview:..[07:33:35]<<Program Manager>>....[07:33:35]<<Program Manager>>....[07:33:35]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:36]<<Program Manager>>....[07:33:37]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWieurtwG.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.302686940200454
                                        Encrypted:false
                                        SSDEEP:12:tlS0+S0+S0+B0+B0+B0+B0+B0+B0+B0+2f0+2fx:tl/+/+/+G+G+G+G+G+G+G+V+q
                                        MD5:F7A64953A40E5FE8DB03B31B9CC054EE
                                        SHA1:5943561DB20B2999A04F50E822B040BA6F56F638
                                        SHA-256:35B9B6CFE0DDD6ABD5D11500537A7FCB0058FFB802E653A2F6A00598A1503A23
                                        SHA-512:A8C664D690E7D1DBB9FAF85C6445105D5E2B08076A1A935A1ADE72313D53D4B327ED77E0D9EF1DE3C397CE190ECA6E980467D740AB0D2C47783E4B3426DD70C1
                                        Malicious:false
                                        Preview:..[07:32:31]<<Program Manager>>....[07:32:31]<<Program Manager>>....[07:32:31]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:32]<<Program Manager>>....[07:32:33]<<Program Manager>>....[07:32:33]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataZlhyrGYo.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.376805146216213
                                        Encrypted:false
                                        SSDEEP:12:tl+p0++p0++p0+y0+y0+y0+y0+y0+y0+y0+y0+jx:tlH+H+H+f+f+f+f+f+f+f+f+N
                                        MD5:9FA8AA829EBE89CFEE2DF6281EA23363
                                        SHA1:BF18E76EA209B2491EE3F565313004332E74733A
                                        SHA-256:47E594C05156418B79B41BC202ECBA3671735F026061AB9E3390472E76544438
                                        SHA-512:AA86A1ACB70C166FF66E765209527B99EDAA9525BFF20FECF87C9402FB77CBBF547B9ADCEF06F10F448F5A097BB1157C8ACAFC1F4006CF64FAE55DD42B1C7E48
                                        Malicious:false
                                        Preview:..[07:32:39]<<Program Manager>>....[07:32:39]<<Program Manager>>....[07:32:39]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:40]<<Program Manager>>....[07:32:41]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataaDaoQDcx.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.378838917669008
                                        Encrypted:false
                                        SSDEEP:6:tSW+0++0++0++0++0++0+AW0+AW0+AW0+AW0+AWx:tl+0++0++0++0++0++0+J0+J0+J0+J0y
                                        MD5:DD58C631055883E2D9DDC2A17EC79C65
                                        SHA1:C3FA2E052A3941C3F0E38410B5DFB1064CB3C782
                                        SHA-256:2719557FE30D79A6F68A62599911091E1258300A0E34B28E080893024FC03C09
                                        SHA-512:E623438811CD78524670128173C11F9D8E65F1427FEC2EF623C7A5772A81A55FC7AE25005CC04ACEACC7FF645AE4193FB95DB0282DCD054C7EF973683AC4D3EA
                                        Malicious:false
                                        Preview:..[07:32:57]<<Program Manager>>....[07:32:57]<<Program Manager>>....[07:32:57]<<Program Manager>>....[07:32:57]<<Program Manager>>....[07:32:57]<<Program Manager>>....[07:32:57]<<Program Manager>>....[07:32:58]<<Program Manager>>....[07:32:58]<<Program Manager>>....[07:32:58]<<Program Manager>>....[07:32:58]<<Program Manager>>....[07:32:58]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataacdGrBJe.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.322604024477179
                                        Encrypted:false
                                        SSDEEP:6:tSWE0+E0+E0+E0+E0+E0+M4dp0+M4dp0+M4dp0+M4dp0+M4dpx:tlE0+E0+E0+E0+E0+E0+5f0+5f0+5f0c
                                        MD5:DA39BBDC4FE5B20648D6AE36F4772A4D
                                        SHA1:F713EFD035CABBBBB53E5F2E6A6EE48CC6D0DAEF
                                        SHA-256:DA8FAEBAB68B0F273D86BB2058EB7FD902CD607113C564B57A5183C332D7F14F
                                        SHA-512:114F222984E5E1F982A01BC897C2E0B934174AA08B3DFC58F7B631DEDA65FC0C5F5C14842DA0B9477FE5AA81D4F0A9B8C7860D189F6A13AA6DA33F6C9FC3CC15
                                        Malicious:false
                                        Preview:..[07:33:16]<<Program Manager>>....[07:33:16]<<Program Manager>>....[07:33:16]<<Program Manager>>....[07:33:16]<<Program Manager>>....[07:33:16]<<Program Manager>>....[07:33:16]<<Program Manager>>....[07:33:17]<<Program Manager>>....[07:33:17]<<Program Manager>>....[07:33:17]<<Program Manager>>....[07:33:17]<<Program Manager>>....[07:33:17]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataajmkkaQO.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.405942340369826
                                        Encrypted:false
                                        SSDEEP:6:tSWAW0+AW0+Onf0+Onf0+Onf0+Onf0+Onf0+Onf0+Onf0+B0+Bx:tlJ0+J0+w0+w0+w0+w0+w0+w0+w0+B0q
                                        MD5:F9D5A008E5139C724F704DB07A4DE7E0
                                        SHA1:FA876A871E46F15EE96B7EAF07235773188F7113
                                        SHA-256:4ED19A6FB3DE3CA9127C5DC4CA57953CC24F3AC3E37FD9E53A1A421AF444E1AA
                                        SHA-512:20D23B482B369260BC03FD8AA039518D83799167A431BD62C2BBD7959A7B252C2859AFD33E72952AFE8FCB4A6E3787D3DECA8F44F69C0678403611551A469EA2
                                        Malicious:false
                                        Preview:..[07:32:58]<<Program Manager>>....[07:32:58]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:32:59]<<Program Manager>>....[07:33:00]<<Program Manager>>....[07:33:00]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatabPFPDGgx.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.291604530587578
                                        Encrypted:false
                                        SSDEEP:6:tSWef0+C0+C0+C0+C0+C0+C0+C0+KUZf0+KUZf0+KUZfx:tlef0+C0+C0+C0+C0+C0+C0+C0+KAf0c
                                        MD5:D3AB829770847503A172A7FFEB6A2694
                                        SHA1:00937D9BC00A54697299396DA4FF3BCF95D90707
                                        SHA-256:2A8B8062FCDB859A595630E940AC1DE8E6633923E33E215854D9B1A742423F1D
                                        SHA-512:696791AD999C7772281FA5C6399D6E1E4D17ECE23386A30C7C8A22704A2C08951D1FD4D2DF0ED5B83359CA00CB8894B044793A55019E8B91B849458524CEBD8C
                                        Malicious:false
                                        Preview:..[07:33:09]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:10]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>....[07:33:11]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataboGlNBVG.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.362098822605423
                                        Encrypted:false
                                        SSDEEP:6:tSWt0+t0+t0+t0+t0+eZ0+eZ0+eZ0+eZ0+eZ0+eZx:tlt0+t0+t0+t0+t0+E0+E0+E0+E0+E0v
                                        MD5:293EC2F84B01BAD99A5B46C3319855D6
                                        SHA1:10FD3435F04C5C9DF03A94491321A1459DA12750
                                        SHA-256:8CF8E473ADDA04F4EE58C928DB616DF9F07023854ABE51F9844F6C38D4439564
                                        SHA-512:B292A5D765FBDD3594C965ECD1E2BA2A1F4E6694A3F3570842A867056AE77745B5D2D26B0462DC9DA7C894F7FC097E7A8DA8D9E230037DE808FF4BAA67568B24
                                        Malicious:false
                                        Preview:..[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:48]<<Program Manager>>....[07:33:49]<<Program Manager>>....[07:33:49]<<Program Manager>>....[07:33:49]<<Program Manager>>....[07:33:49]<<Program Manager>>....[07:33:49]<<Program Manager>>....[07:33:49]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadHcuNbSn.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):330
                                        Entropy (8bit):4.288480152909674
                                        Encrypted:false
                                        SSDEEP:6:tSWd0+d0+adp0+adp0+adp0+adp0+adp0+adp0+j0+jx:tld0+d0+4p0+4p0+4p0+4p0+4p0+4p0E
                                        MD5:4B61CCE9D340D8E77F34C856F40F1512
                                        SHA1:A61FCE4ABCDDAABD744C494395DBAD4FA819037A
                                        SHA-256:7960E729F5D9104204C8DE97922108F33CFD0148D527D415483E607A6A84E0B5
                                        SHA-512:CE90A8ED63C294E39973C793176D426E04982C8364DD741FF843428AED6545660AC55C24E6BBE63E5B42F4F204BC4EE66FBE048C551344976F33B94924333CB3
                                        Malicious:false
                                        Preview:..[07:33:22]<<Program Manager>>....[07:33:22]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:23]<<Program Manager>>....[07:33:24]<<Program Manager>>....[07:33:24]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadIYIXuMH.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.398612087820528
                                        Encrypted:false
                                        SSDEEP:12:tl/0+00+00+00+00+00+00+00+d0+d0+d0+dx:tl8+J+J+J+J+J+J+J+K+K+K+/
                                        MD5:5BAB7EC4A04243E28BB346FB022D95B1
                                        SHA1:5B0DCE210496F1FF063307B110B19E836B3DBB3C
                                        SHA-256:BC6534D2971827851C1B1CF3D75F99BB9C9035341B595AA1361E9DEA580D5E50
                                        SHA-512:4721EDE0AA62361D0DDB1D9C7ED8CC5E03FF1192DB9B167E7BD540F06946B05F26AF030F67C9C9412EB7FF345EF6658BBB838953E14FCB15C88F54EA814A873B
                                        Malicious:false
                                        Preview:..[07:32:45]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:46]<<Program Manager>>....[07:32:47]<<Program Manager>>....[07:32:47]<<Program Manager>>....[07:32:47]<<Program Manager>>....[07:32:47]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadbLOyjmx.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.268343431737297
                                        Encrypted:false
                                        SSDEEP:12:tlGnf0+D0+D0+D0+D0+D0+D0+D0+mp0+mp0+mp0+mpx:tlGnc+I+I+I+I+I+I+I+/+/+/+8
                                        MD5:3C7ED92EA903812DAC7C1001A5A9A6A4
                                        SHA1:CB8A0F0BFF7BBF8CA0BE019AAB8362D144A11D2D
                                        SHA-256:EC07F46FBF905FB96FC9B9F5015AC8D32BAADC33BA7935ED4C5508C4E77806BA
                                        SHA-512:F11DD46AA9326629059A28FF4B4FE39680C9E2468153EF525835B2FEA5E6D051185F1637A0722F7EAB747482E69F694D50C0217F345BD59B5ADC152E1D5EA1C9
                                        Malicious:false
                                        Preview:..[07:33:01]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:02]<<Program Manager>>....[07:33:03]<<Program Manager>>....[07:33:03]<<Program Manager>>....[07:33:03]<<Program Manager>>....[07:33:03]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatadtDGQFUV.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.387894949224467
                                        Encrypted:false
                                        SSDEEP:6:tSWIW0+IW0+2f0+2f0+2f0+2f0+2f0+2f0+2f0+KW0+KWx:tlx0+x0+40+40+40+40+40+40+40+KWT
                                        MD5:468C09C08EA09A3BBE46E3B7E68824D1
                                        SHA1:6CEC43775292CC552E895AC3EEEDBFEB30A559E6
                                        SHA-256:52E0A886956634730F997E37AAE31EB578D3D199EFDA9AAEF7D43D1871E852EC
                                        SHA-512:695292975BFC68BF1C235F232F2F173584F0D899197193AFF1F28EAC673D67BF2459F8069D53DF64CF9F5EB2A4644C78A6D9F0997A27C5DAED2B953F4210C2A7
                                        Malicious:false
                                        Preview:..[07:32:50]<<Program Manager>>....[07:32:50]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:51]<<Program Manager>>....[07:32:52]<<Program Manager>>....[07:32:52]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataeluZeHiX.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.270554828954459
                                        Encrypted:false
                                        SSDEEP:12:tlSUN0+s0+s0+s0+s0+s0+s0+s0+PN0+PN0+PN0+PNx:tlta+R+R+R+R+R+R+R+S+S+S+n
                                        MD5:10322AA7C357F1305521464202C98583
                                        SHA1:B6A38228CFF6A280DC3A31C822EFBA9349A00E63
                                        SHA-256:8963309C583BFEB0870A1BFA1687A237A27C770515F41F3BE532D9D66B80DA2B
                                        SHA-512:0E8A6E6703C1D1DD6C21F95A22C5AD18F637271E992B5CCD0FE20778AC3EDEB879CF7E32792E6357C86C571D8848CFDD01F5ED4726067D5F3E230D8EAD7EF7D5
                                        Malicious:false
                                        Preview:..[07:33:33]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:34]<<Program Manager>>....[07:33:35]<<Program Manager>>....[07:33:35]<<Program Manager>>....[07:33:35]<<Program Manager>>....[07:33:35]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagFOrBQhC.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.340652808831324
                                        Encrypted:false
                                        SSDEEP:12:tlXdp0+Xdp0+Xdp0+40+40+40+40+40+40+40+40+vZx:tlXd++Xd++Xd++l+l+l+l+l+l+l+l+z
                                        MD5:515383FBD9C5F7F9912715B4A7E3CD4D
                                        SHA1:C305F27E02A4E509662B62D8D940CEEE832CEBE0
                                        SHA-256:B1294FBC1B30AC5EF1CE69A7506AB416394D556A9E2B864A6A5F29AB36A57D0B
                                        SHA-512:C7C840A2A95788D38CD1A8BD4CF7036AF981A7CB5C9DAC5550E8EE959C514ECC5F50E1F4A28A5BAA9791BD1197F33BF0794F682EE1D32C09FB271CEA0122DDA6
                                        Malicious:false
                                        Preview:..[07:32:23]<<Program Manager>>....[07:32:23]<<Program Manager>>....[07:32:23]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:24]<<Program Manager>>....[07:32:25]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagLeDBZmr.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.263101964183938
                                        Encrypted:false
                                        SSDEEP:12:tlA0+A0+A0+Z0+Z0+Z0+Z0+Z0+Z0+Z0+q0+qx:tld+d+d+O+O+O+O+O+O+O+H+k
                                        MD5:9BF3EFE4F2B055B3109EC80AE229E947
                                        SHA1:C229C0AAFB04DADF609162C7F405DA3A6EBE90A6
                                        SHA-256:0004A67AB0036CCC7842862CFE717495FC2A610551C441654B15195A2FD2F22B
                                        SHA-512:5828F4CAA7D94DB02DC37DD294F027D133A2EEB35E291CBFA51D36582C483B4068BCA36CA432C0E8A46A883579458AC83A5D90766F14E8F6BD89B324053010E5
                                        Malicious:false
                                        Preview:..[07:33:30]<<Program Manager>>....[07:33:30]<<Program Manager>>....[07:33:30]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:31]<<Program Manager>>....[07:33:32]<<Program Manager>>....[07:33:32]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagSoeCaQN.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.3579410869724615
                                        Encrypted:false
                                        SSDEEP:12:tlU0+SW0+SW0+SW0+SW0+SW0+SW0+SW0++p0++p0++p0++px:tlp+Q+Q+Q+Q+Q+Q+Q+H+H+H+k
                                        MD5:FA62669A16B4922F6482FBD1760B1168
                                        SHA1:8C5F826146D66DE32626342E8394B53074BC58C4
                                        SHA-256:108221C4DF910B69BEA39224582F62E08A66F443B9695C940435E270280DB83C
                                        SHA-512:2C335DCC33F09B55CD466743FB601C35E808B56FB24DB0CA4B11B1DBF19207F1C3CE0D941436E4C7B79C6ADEF07B4736FE1D67062FFFB94483D942F8466160DB
                                        Malicious:false
                                        Preview:..[07:32:37]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:38]<<Program Manager>>....[07:32:39]<<Program Manager>>....[07:32:39]<<Program Manager>>....[07:32:39]<<Program Manager>>....[07:32:39]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagYBBUdlH.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.259539517141877
                                        Encrypted:false
                                        SSDEEP:6:tSW+0++0++0++0++0++0++0++0+Xndp0+Xndp0+Xndpx:tl+0++0++0++0++0++0++0++0+Xdp0+b
                                        MD5:B9E52032F30249E62EBCF87242BFEF36
                                        SHA1:44A0612CD873CD286C2A44EBBF72B937E3D3A553
                                        SHA-256:4623A8E877EDBE6C95005AC2F1D2A4BE6E27D31D8EBA557827D66947E26474D8
                                        SHA-512:28ABE9C79E9C72DA5C5E453849F48331A24A1105DB0245679543CF7C1C9E28E447BFDC1A36D08D38763281EED562D74FDB24059C9817B6128C8B962B7E317E92
                                        Malicious:false
                                        Preview:..[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:22]<<Program Manager>>....[07:32:23]<<Program Manager>>....[07:32:23]<<Program Manager>>....[07:32:23]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagdTFocUN.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.3411211513875125
                                        Encrypted:false
                                        SSDEEP:6:tSWuLZ0+uLZ0+h0+h0+h0+h0+h0+h0+sN0+sN0+sNx:tluN0+uN0+h0+h0+h0+h0+h0+h0+sN0O
                                        MD5:CBD65E9AE1A36221B0FADE281999D59D
                                        SHA1:66D98A2EEAEEA69AE2A56533574FC184C85FAA36
                                        SHA-256:C82479DAF213B8401A6192F86673EC5422588E859B2BA43B7599D853DC2DBDEC
                                        SHA-512:220CDBBAAD5174A0CFCD109E0E8DC1832E1CF00E96DC8DE20569FB5718A264A50BA8C36E2CBC422438401D175FF6D221E767C7538A1F3442B2C9A67894157A1D
                                        Malicious:false
                                        Preview:..[07:32:42]<<Program Manager>>....[07:32:42]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:43]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>....[07:32:44]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagsnGvSNx.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.31626960487185
                                        Encrypted:false
                                        SSDEEP:6:tSWtZ0+tZ0+tZ0+tZ0+tZ0+tZ0+tZ0+20+20+20+2x:tlH0+H0+H0+H0+H0+H0+H0+20+20+20R
                                        MD5:F64A6E03CBED329B8C052119CEBD1E10
                                        SHA1:80653C2D2656678E011A66128BDBD0AEFCE76079
                                        SHA-256:11B79063ADBA8FC3F5638A17B3E2FE45B9D710926F78AFC2954BCC12596B0D19
                                        SHA-512:EB1CEA81420F8A8030443310AAAADB29972594EF849B133795D8F5DAE9487F8F965B834D06F23B1E23F9C16794865F77ED660C39DC274B57971C54195C1A1F53
                                        Malicious:false
                                        Preview:..[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:42]<<Program Manager>>....[07:33:43]<<Program Manager>>....[07:33:43]<<Program Manager>>....[07:33:43]<<Program Manager>>....[07:33:43]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatahjhSfKER.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.313786262077451
                                        Encrypted:false
                                        SSDEEP:6:tSWC0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+jZLZ0+GZ0+GZx:tlC0+lLZ0+lLZ0+lLZ0+lLZ0+lLZ0+lJ
                                        MD5:EFD9DB9C8F5D9E7EF787D6671AFC5125
                                        SHA1:28103CFD909DAEEB7CA3D143B26A3CD0AF22192B
                                        SHA-256:870FCC2A1AC2C24C590D04E4C67A6826E7BF3592E7FCCE5B7D51E5DFC049F4B2
                                        SHA-512:E714E4B5C0AB7A4072DF36844488CE6791974B228A8C96741662FE2345BC4983D5E5D84FB38A030F553DE4FBED5BF14594C6F4EEEA390A3ED1328A6A6C028B25
                                        Malicious:false
                                        Preview:..[07:32:26]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:27]<<Program Manager>>....[07:32:28]<<Program Manager>>....[07:32:28]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatahuNpZoeC.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.250074507250172
                                        Encrypted:false
                                        SSDEEP:6:tSWB0+B0+B0+B0+B0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Z0+Gn1Zx:tlB0+B0+B0+B0+B0+Gnf0+Gnf0+Gnf0t
                                        MD5:A0621758CDCDFDE013A77939D9E3EC9F
                                        SHA1:FCC0321A1A713115D9F215E73CCCCE767B73AAB0
                                        SHA-256:BD39A6A7319538789C91392708755EE804683F7728DD797A8EC6BE0E6B0C0284
                                        SHA-512:249D0FC894D90156F1EA3DACA5F51CB1877CA6FBA54364B8BC8475F59545A230D893D8B96CE218469E4D24BB8B8A278EE78BCB67A00872EED155148225AE1C61
                                        Malicious:false
                                        Preview:..[07:33:00]<<Program Manager>>....[07:33:00]<<Program Manager>>....[07:33:00]<<Program Manager>>....[07:33:00]<<Program Manager>>....[07:33:00]<<Program Manager>>....[07:33:01]<<Program Manager>>....[07:33:01]<<Program Manager>>....[07:33:01]<<Program Manager>>....[07:33:01]<<Program Manager>>....[07:33:01]<<Program Manager>>....[07:33:01]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatajBITEPQI.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.2677685883175265
                                        Encrypted:false
                                        SSDEEP:12:tlf0+f0+f0+O0+O0+O0+O0+O0+O0+O0+Z0+Zx:tlc+c+c+j+j+j+j+j+j+j+O+L
                                        MD5:B2C47EA907BF1C50E9AD4C36FF244507
                                        SHA1:022C79A02C4F205669A0FF13801B95AB45B9BFAA
                                        SHA-256:9D78C89439C75C41B9FC06042D23B7C157CDD9954AAA6871FEC98FABA25819AC
                                        SHA-512:17346BE3CB93E6E90A78CE7FCAFF4B2FBA0577D096C25FD385AC3D092504B21FB964B031F75AA8B6135EB804218E47747B7BF2115661245E659069469FC80C36
                                        Malicious:false
                                        Preview:..[07:33:06]<<Program Manager>>....[07:33:06]<<Program Manager>>....[07:33:06]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:07]<<Program Manager>>....[07:33:08]<<Program Manager>>....[07:33:08]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatajusHJtvL.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.310765932660567
                                        Encrypted:false
                                        SSDEEP:12:tlkN0+kN0+kN0+kN0+kN0+kN0+kN0+kN0+2W0+2W0+2W0+2Wx:tlka+ka+ka+ka+ka+ka+ka+ka+27+27E
                                        MD5:2F6F2EEE2DBBE071CFAFA56CEBBC5352
                                        SHA1:13A76893B5BE40FD464DBCE3AEC7486A4DB1B269
                                        SHA-256:E646021FE1793D8F7DA7C19D7D54DE4B3136207640898CAD06B22B02C6FBB2A3
                                        SHA-512:77D09C8B6F903F5F24530A7E53F515BAE6E864A34A23BEBF775E8DB2DB6C6A1ECEA503C52F75E3FE5FF2CF56774B96C8078B2E09246627415E9315D151192D54
                                        Malicious:false
                                        Preview:..[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:50]<<Program Manager>>....[07:33:51]<<Program Manager>>....[07:33:51]<<Program Manager>>....[07:33:51]<<Program Manager>>....[07:33:51]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakSCFobaw.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.361669687610703
                                        Encrypted:false
                                        SSDEEP:12:tlj0+j0+j0+j0+j0+8Z0+8Z0+8Z0+8Z0+8Z0+8Z0+8Zx:tlo+o+o+o+o+f+f+f+f+f+f+c
                                        MD5:B4C087AF02AA9AE1317496C782032843
                                        SHA1:591FC362D4D11BF16517EAF56F5D98B911E6F6D8
                                        SHA-256:6FC6F6AB51AFCAD3548D451FC80174B25E90D4B1A4E24041AF3B6D059AF350E1
                                        SHA-512:82A89EC1EA86104785004ABA82BC7C8931E1417F5B8F8D8CAEF8DDAA0CFD7CECAA6BA6C294A714BF5D07E7A2EE7C4BB140B5BD92F6ED044A19E5FEADFEDD75D5
                                        Malicious:false
                                        Preview:..[07:33:24]<<Program Manager>>....[07:33:24]<<Program Manager>>....[07:33:24]<<Program Manager>>....[07:33:24]<<Program Manager>>....[07:33:24]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>....[07:33:25]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakaKlaZMu.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.413332212703753
                                        Encrypted:false
                                        SSDEEP:6:tSWL1Z0+L1Z0+L1Z0+L1Z0+L1Z0+L1Z0+IW0+IW0+IW0+IW0+IWx:tl70+70+70+70+70+70+x0+x0+x0+x0q
                                        MD5:EEB7ADA805D79BB8836DBC1F2185D5F8
                                        SHA1:3DC3FA65E23C6E5D2F33B5B560C4C6D59154D96E
                                        SHA-256:29C858AF534B3C7FE40E5CC2C95D2D29B2A82CB7618E0470CF38E670F30602FE
                                        SHA-512:39B6BC9F93194EDB3C9DB380F306B54DA1314D738E275ED10F05B9C1FCDE657BA0A14DB44A168E3A7CB7D41A142DA074DDE02317262FDA6B6BE5811B74442FFB
                                        Malicious:false
                                        Preview:..[07:32:49]<<Program Manager>>....[07:32:49]<<Program Manager>>....[07:32:49]<<Program Manager>>....[07:32:49]<<Program Manager>>....[07:32:49]<<Program Manager>>....[07:32:49]<<Program Manager>>....[07:32:50]<<Program Manager>>....[07:32:50]<<Program Manager>>....[07:32:50]<<Program Manager>>....[07:32:50]<<Program Manager>>....[07:32:50]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatakfZxVugr.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.348987127077085
                                        Encrypted:false
                                        SSDEEP:12:tl5f0+5f0+a0+a0+a0+a0+a0+a0+a0+a0+CCp0+CCpx:tl5c+5c+X+X+X+X+X+X+X+X+x++x7
                                        MD5:62F6FDB2C731BD260CC699521888ABCC
                                        SHA1:2E206981DDBC472F443F5CF711CE4290FEF808B0
                                        SHA-256:01323046B0A36F441DD67907F2EB41351D32630DFFA010EEBE899FE0343C0D62
                                        SHA-512:9739F594B756B8A77F73E209B02F8BDE797B1BEAB03872FA4C4A2B8058C9C49254A71F3F34061447276A18BE6FFE62A5D2CF706ECB5E1C72E2BCB7E149EE94F3
                                        Malicious:false
                                        Preview:..[07:33:17]<<Program Manager>>....[07:33:17]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:18]<<Program Manager>>....[07:33:19]<<Program Manager>>....[07:33:19]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatamlVYIwni.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.2846475929103
                                        Encrypted:false
                                        SSDEEP:12:tl20+20+20+J0+J0+J0+J0+J0+J0+J0+J0++fx:tlb+b+b+e+e+e+e+e+e+e+e+C
                                        MD5:D747260ED3B271592F9C53C9DAD27C25
                                        SHA1:C5C4DD7191A255AD74D13A47B525F92389776F5F
                                        SHA-256:4521AAF4BC439852A18C4FB60FCC6C395EBABA277C4BB7DD28C212CF31A57129
                                        SHA-512:8AA1D8C6004E1F73E11711EF74FB49D0D1F7CD64A1D117A69685EE67C2C0F103B5C5D0D35D1D35887AC55E8ED51807535F3F218DA30B1321BAC690394C7A941E
                                        Malicious:false
                                        Preview:..[07:33:43]<<Program Manager>>....[07:33:43]<<Program Manager>>....[07:33:43]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:44]<<Program Manager>>....[07:33:45]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatapqTrPoYq.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.359803841471409
                                        Encrypted:false
                                        SSDEEP:12:tlGZ0+GZ0+GZ0+GZ0+/N0+/N0+/N0+/N0+/N0+/N0+/N0+/Nx:tlGO+GO+GO+GO+i+i+i+i+i+i+i+3
                                        MD5:821166C360402AC8C561796E4BEEDDAE
                                        SHA1:E553854916648FAAB8A52A9E969A64BA13ABB753
                                        SHA-256:E8CE71759384F9354732AD46AA4945D6AD607C9672B862B5143D870490AF8E32
                                        SHA-512:78A59A7C7F5DD7F058924D6636EF8615CFDBB319F0EEBAEA2121B5A8CC667C46E775379860FDEAF88D0AE59F7D413DF73EB8601721F06C95E91653EFE0F6746C
                                        Malicious:false
                                        Preview:..[07:32:28]<<Program Manager>>....[07:32:28]<<Program Manager>>....[07:32:28]<<Program Manager>>....[07:32:28]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>....[07:32:29]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataqBCEpYiY.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.324150299180992
                                        Encrypted:false
                                        SSDEEP:12:tlu0+u0+u0+u0+u0+u0+u0+d0+d0+d0+d0+dx:tlD+D+D+D+D+D+D+K+K+K+K+/
                                        MD5:C1CB54B9BE3E1724F5C05C79A644FE15
                                        SHA1:912AF0583F1F8520206A2E60079D24941F15744E
                                        SHA-256:89677509FC1CB6D6C83A612EC22146E59394AA5FC3F67C1CBE65C0956EE5D7B9
                                        SHA-512:9A1EE573F1B2A1DD345D3CC83CCC28BB262CAD32AFFAF41091167CD4E99C5689171F4446AF8BC93A890254C6A21AAF42A0B3F2858B745BE2CDF94556766A88CE
                                        Malicious:false
                                        Preview:..[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:21]<<Program Manager>>....[07:33:22]<<Program Manager>>....[07:33:22]<<Program Manager>>....[07:33:22]<<Program Manager>>....[07:33:22]<<Program Manager>>....[07:33:22]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataqMhZsdev.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.301492761999363
                                        Encrypted:false
                                        SSDEEP:6:tSWZ0+Z0+Z0+Z0+Z0+ef0+ef0+ef0+ef0+ef0+efx:tlZ0+Z0+Z0+Z0+Z0+ef0+ef0+ef0+ef7
                                        MD5:8B8E307E97990EB4F3D3A7FDCE904F02
                                        SHA1:E1530F277450A1F5D5BB7E998A1DC91B63689C59
                                        SHA-256:F19ADC5EA54413E47A892EBFF22434D46FF73D9816954ABA24E1A4DF4B463683
                                        SHA-512:E92E4D5DDAEBAD4794AB4499FD600C309CB02514C7B4384CF959B045ABC053C43C1F3B0D63266EBE5BEBD0B2245CC89BB50A9528F27E28DF4F60E3F98699B5AC
                                        Malicious:false
                                        Preview:..[07:33:08]<<Program Manager>>....[07:33:08]<<Program Manager>>....[07:33:08]<<Program Manager>>....[07:33:08]<<Program Manager>>....[07:33:08]<<Program Manager>>....[07:33:09]<<Program Manager>>....[07:33:09]<<Program Manager>>....[07:33:09]<<Program Manager>>....[07:33:09]<<Program Manager>>....[07:33:09]<<Program Manager>>....[07:33:09]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatarEXympQg.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):7755
                                        Entropy (8bit):4.437556142431081
                                        Encrypted:false
                                        SSDEEP:192:3Y+Y+P+P+P+P+P+P+P+x+x+x+x+x+x+x+y+y+y+y+y+y+y+r+r+r+r+r+r+r+r+b:3Y+Y+P+P+P+P+P+P+P+x+x+x+x+x+x+M
                                        MD5:2B5A3CFB503ABD6CED9108CEF05C717D
                                        SHA1:26ACEECB5C8D381B597753A208C8BAAD5593A4E1
                                        SHA-256:5A99D81EDE5DF5D1040402CCD511E4BA0283B6A0961827A2E26FB21B9A9DA7DA
                                        SHA-512:963B183ECEB32081521A80FAAF53AEFEF5FFA485C14107E2104024FFD81B932951ADBF1F7DF546845030FA05AA1E90F11DCA3CFD70286F1D263F31121C95977C
                                        Malicious:false
                                        Preview:..[07:31:48]<<Program Manager>>....[07:31:48]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:49]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:50]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:51]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:52]<<Program Manager>>....[07:31:5

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatarRwmjLPy.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.339344119540764
                                        Encrypted:false
                                        SSDEEP:6:tSWKW0+KW0+KW0+KW0+KW0+Wp0+Wp0+Wp0+Wp0+Wp0+Wpx:tlKW0+KW0+KW0+KW0+KW0+C0+C0+C0+m
                                        MD5:A3AD96DCDD643840886D7B23A19348C3
                                        SHA1:5C9F012763EDAD11159186E66AC1A25C5BA0CDCA
                                        SHA-256:955718CA891DA4C47B429497AE91A961405A3A24576ABE6A820FBB2DE70EB85A
                                        SHA-512:6A380F273E75845A5AB8B40C6F7F24AE07BD15D044E9012F1988115A025FAF7D6220F2E252F34070EF904ACB0D781CCE37C25D19A229D182CFA43FF40F8A602D
                                        Malicious:false
                                        Preview:..[07:32:52]<<Program Manager>>....[07:32:52]<<Program Manager>>....[07:32:52]<<Program Manager>>....[07:32:52]<<Program Manager>>....[07:32:52]<<Program Manager>>....[07:32:53]<<Program Manager>>....[07:32:53]<<Program Manager>>....[07:32:53]<<Program Manager>>....[07:32:53]<<Program Manager>>....[07:32:53]<<Program Manager>>....[07:32:53]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatassZkvHjV.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.388415015075818
                                        Encrypted:false
                                        SSDEEP:12:tlIp0+Ip0+Ip0+OW0+OW0+OW0+OW0+OW0+OW0+OW0+OW0++x:tl5+5+5+O7+O7+O7+O7+O7+O7+O7+O75
                                        MD5:85EFBAF6A7F4044FBD858B6642A09C7E
                                        SHA1:F528908B8A74BF38403BF4D9C2D46973C0545B74
                                        SHA-256:1D5B1E1665004E3C0D37B4B2EF0A1571B3C9E4B3AA3BB6C25ADDD4C7E4EF41A0
                                        SHA-512:61E9B30BD2AA59941DED008EA8D7DD2D63719BAF98887A164948AE99E81A8A60C881CFD3C70DE8DA01A241BCF3F780F1DE99EA6D41C1CF0F66A3AF814025E73C
                                        Malicious:false
                                        Preview:..[07:32:55]<<Program Manager>>....[07:32:55]<<Program Manager>>....[07:32:55]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:56]<<Program Manager>>....[07:32:57]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatMOlnxDj.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):396
                                        Entropy (8bit):4.385768233458961
                                        Encrypted:false
                                        SSDEEP:12:tlC0+t0+t0+t0+t0+t0+t0+t0+Ip0+Ip0+Ip0+Ipx:tlP+6+6+6+6+6+6+6+5+5+5+W
                                        MD5:BB9A084C1F26FE62ED9FB29B17ECF7AB
                                        SHA1:62F2AEBB93027A71C80AECE40BB50FB884BB6F98
                                        SHA-256:65D7671C4E8B14C84F83C7DB22ABD1574F8B7CFBF0A7B56468F801E9A6343566
                                        SHA-512:7EFF87AC5DD85EBB2C6C6DC6F41F6A3BB569BFC5F1473DC90E1470888380CC989F6D6084EB7EFAF6AD9D188FAF2718D1BB7D9801E88FF8CBC1AE06F138839FFD
                                        Malicious:false
                                        Preview:..[07:32:53]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:54]<<Program Manager>>....[07:32:55]<<Program Manager>>....[07:32:55]<<Program Manager>>....[07:32:55]<<Program Manager>>....[07:32:55]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatRftuieL.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.369572771702385
                                        Encrypted:false
                                        SSDEEP:6:tSW8N0+8N0+8N0+OW0+OW0+OW0+OW0+OW0+OW0+OW0+Ex:tl8N0+8N0+8N0+OW0+OW0+OW0+OW0+Of
                                        MD5:8251A194E9F4C556083D636547FD538E
                                        SHA1:87B16E8C8BB5F2036C178BC59AC65C312D80993E
                                        SHA-256:18B155858928C2DF969DEEAA5FCA3D29D70E169B970B02B968AE0CA395955084
                                        SHA-512:9FF6A3D6CCD3D400B0B9A4F9A95AEA0CC6029C064ED4CC23E66A039BA7531673B961DC9E7F4D38FABFFFAE32E44F07D6A561BCE0C82F4295A1B046EC7553D479
                                        Malicious:false
                                        Preview:..[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:15]<<Program Manager>>....[07:33:16]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatkRDOvjQ.txt

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):363
                                        Entropy (8bit):4.304278802761717
                                        Encrypted:false
                                        SSDEEP:6:tSWI4nf0+I4nf0+I4nf0+I4nf0+I4nf0+I4nf0+8N0+8N0+8N0+8N0+8Nx:tlFf0+Ff0+Ff0+Ff0+Ff0+Ff0+8N0+8i
                                        MD5:EF8318B7913A52FDA7076BE4C785372B
                                        SHA1:12330FC04E15F8AD1FEE318F84AA1E374528B806
                                        SHA-256:06412A0642357B348D9927E707642DF4F936CFA63DCD0E46F93582DE1F292D49
                                        SHA-512:F4D5D3EE513A8D5241B3680EABECA0FF586FBCD00E7026237E4C9D4BC58DEF3FB7681EE9F73A867C3C467855628DD4E66BB83DA26397C93F70FD8B2146B859EF
                                        Malicious:false
                                        Preview:..[07:33:13]<<Program Manager>>....[07:33:13]<<Program Manager>>....[07:33:13]<<Program Manager>>....[07:33:13]<<Program Manager>>....[07:33:13]<<Program Manager>>....[07:33:13]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>....[07:33:14]<<Program Manager>>..

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LoginData

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                        Category:dropped
                                        Size (bytes):51200
                                        Entropy (8bit):0.8745947603342119
                                        Encrypted:false
                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                        MD5:378391FDB591852E472D99DC4BF837DA
                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                        Malicious:false
                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 9
                                        Category:dropped
                                        Size (bytes):196608
                                        Entropy (8bit):1.124003908482409
                                        Encrypted:false
                                        SSDEEP:384:KUM2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:Kkq+n0E91LyKOMq+8iP5GLP/0
                                        MD5:9BAA153ED70603FD15DF786AC77CA09F
                                        SHA1:44545D11CD105F8581D462A9FB010E9E8B7F7E9C
                                        SHA-256:B65E528EB61299BFF399BC1087E2CBEAC836EC20A783EDC379606212CAEAA9BD
                                        SHA-512:74B18EF4ED04AEB447E724BD6C0E1B88D047E5A7C7FA891C1F18FC4F012327BA0BB39E0C4E404E506F3D587D101513FA0B586AEEB23CD1F159611D15B9637F91
                                        Malicious:false
                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Entropy (8bit):7.589835484876056
                                        TrID:
                                        • Win64 Executable GUI (202006/5) 92.65%
                                        • Win64 Executable (generic) (12005/4) 5.51%
                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                        • DOS Executable Generic (2002/1) 0.92%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:otq7hhgWfq.exe
                                        File size:809'000 bytes
                                        MD5:d7ebf3ef787a3fb57a1a0fa793d0b2ab
                                        SHA1:959b4e0de4ee49034442e02fe1a0a5979217b1a4
                                        SHA256:e1649d0d19476fa985709537ff729473ccd494de534f40329c6b1d25ef5e026f
                                        SHA512:9a24df95a762d4efd9b8d23d9e1d4dc99561a80bc20f5302c8e882242f51c42a4fd3f8883956109e5d7dc35e468e9e9adc2eeed2896736cf0d00f0c5da5b1688
                                        SSDEEP:12288:xIR5x+u6RfbWYCrt/22puGGh6abmMbvZwPO5ICuAEHuTwBJtkQhp4SZ8qQFK9qWR:13WYatucdvl/XJbhzZ8qhqlPVPtq2Nyt
                                        TLSH:6605D1AFB5A72484FD625C30AEE87610DF67387ACE16DAF2069590302E361D1EC56F13
                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...(z.g.........."..................\.........@..........................................`........................................

                                        File Icon

                                        Icon Hash:90cececece8e8eb0

                                        Static PE Info

                                        General

                                        Entrypoint:0x140035cb0
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x140000000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x67E57A28 [Thu Mar 27 16:17:44 2025 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:8beb5ca1ff83475ee16fa1a921765aab

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 13/01/2023 01:00:00 17/01/2026 00:59:59
                                        Subject Chain
                                        • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                        Version:3
                                        Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                        Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                        Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                        Serial:0997C56CAA59055394D9A9CDB8BEEB56
                                        Instruction
                                        dec eax
                                        sub esp, 28h
                                        call 00007F2CD88E7450h
                                        dec eax
                                        add esp, 28h
                                        jmp 00007F2CD88E707Fh
                                        int3
                                        int3
                                        dec eax
                                        sub esp, 28h
                                        call 00007F2CD88E7214h
                                        dec eax
                                        neg eax
                                        sbb eax, eax
                                        neg eax
                                        dec eax
                                        dec eax
                                        add esp, 28h
                                        ret
                                        int3
                                        inc eax
                                        push ebx
                                        dec eax
                                        sub esp, 20h
                                        dec eax
                                        cmp dword ptr [000206EEh], FFFFFFFFh
                                        dec eax
                                        mov ebx, ecx
                                        jne 00007F2CD88E7209h
                                        call 00007F2CD88EB371h
                                        jmp 00007F2CD88E7211h
                                        dec eax
                                        mov edx, ebx
                                        dec eax
                                        lea ecx, dword ptr [000206D8h]
                                        call 00007F2CD88EB2D4h
                                        xor edx, edx
                                        test eax, eax
                                        dec eax
                                        cmove edx, ebx
                                        dec eax
                                        mov eax, edx
                                        dec eax
                                        add esp, 20h
                                        pop ebx
                                        ret
                                        int3
                                        int3
                                        dec eax
                                        sub esp, 18h
                                        dec esp
                                        mov eax, ecx
                                        mov eax, 00005A4Dh
                                        cmp word ptr [FFFCA2D5h], ax
                                        jne 00007F2CD88E727Ah
                                        dec eax
                                        arpl word ptr [FFFCA308h], cx
                                        dec eax
                                        lea edx, dword ptr [FFFCA2C5h]
                                        dec eax
                                        add ecx, edx
                                        cmp dword ptr [ecx], 00004550h
                                        jne 00007F2CD88E7261h
                                        mov eax, 0000020Bh
                                        cmp word ptr [ecx+18h], ax
                                        jne 00007F2CD88E7256h
                                        dec esp
                                        sub eax, edx
                                        movzx edx, word ptr [ecx+14h]
                                        dec eax
                                        add edx, 18h
                                        dec eax
                                        add edx, ecx
                                        movzx eax, word ptr [ecx+06h]
                                        dec eax
                                        lea ecx, dword ptr [eax+eax*4]
                                        dec esp
                                        lea ecx, dword ptr [edx+ecx*8]
                                        dec eax
                                        mov dword ptr [esp], edx
                                        dec ecx
                                        cmp edx, ecx
                                        je 00007F2CD88E721Ah
                                        mov ecx, dword ptr [edx+0Ch]
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x528480x28.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x580000x156c.pdata
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xc32000x2628.cSs
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000x688.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4a1e00x140.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x52ad80x268.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x483650x48400a1b902d81c50b41226313e2baebc1486False0.4831652789792388data6.395288971671145IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x4a0000xa57c0xa600cd2bab3b908abd1e5c983b0728f4af58False0.45620764307228917data5.017278619936885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x550000x21380xc005fe7d7ec89d4e05cba28a650951efdcfFalse0.158203125data2.2504156670554667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .pdata0x580000x156c0x1600f3fbec576d56de90d32788bfc51ee622False0.4753196022727273data5.463944585783601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .gxfg0x5a0000x13d00x1400b3ddcfcf5948356499a0220c6cb2480dFalse0.434765625PGP symmetric key encrypted data - Plaintext or unencrypted data5.094957146805024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .retplne0x5c0000x8c0x2008c950f651287cbc1296bcb4e8cd7e990False0.126953125data1.050583247971927
                                        _RDATA0x5d0000x1f40x200ab77f6ffbb38af2478befaa05538d3b6False0.53515625data4.23018233870101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x5e0000x6880x800f1bdac277c233bae372527f3cbb3caf0False0.513671875data4.982690986029319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .cSs0x5f0000x6c0000x6c00099fa9fa555132630fb54bccd84e8ab70False1.0003187391493056data7.999587123582853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        DLLImport
                                        KERNEL32.dllCloseHandle, CreateFileA, CreateFileW, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-04-08T13:31:49.344989+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649686162.55.60.280TCP

                                        Network Port Distribution

                                        • Total Packets: 57
                                        • 443 (HTTPS)
                                        • 80 (HTTP)
                                        • 53 (DNS)
                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 8, 2025 13:31:47.388206005 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:47.699861050 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:48.309240103 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:48.985435963 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.164244890 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.164335012 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.165051937 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.344049931 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.344875097 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.344892979 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.344913960 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.344989061 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.345014095 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.345015049 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345094919 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345109940 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345149994 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.345163107 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345177889 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345204115 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345216036 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.345225096 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.345251083 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.348154068 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.512473106 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:49.523912907 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.523935080 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.523947954 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.523961067 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.523972988 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524019957 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524034977 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524122000 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.524122000 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.524122000 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.524137974 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524152040 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524164915 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524178028 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524190903 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:31:49.524193048 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:49.524230957 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:31:51.918765068 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:55.983304977 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:31:56.293658972 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:31:56.731230021 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:31:56.903084993 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:31:58.106158972 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:32:00.512413979 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:32:04.704322100 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:32:04.704376936 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:32:05.324918032 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:32:06.083837986 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:06.177040100 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:32:06.177344084 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:06.177498102 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:06.270411015 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:32:06.271215916 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:32:06.271295071 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:32:06.271476984 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:06.277004957 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:06.340559006 CEST49672443192.168.2.6204.79.197.203
                                        Apr 8, 2025 13:32:06.373426914 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:32:06.419203043 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:32:14.934504032 CEST49678443192.168.2.620.42.65.91
                                        Apr 8, 2025 13:32:19.956146955 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:32:19.956244946 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:32:31.856461048 CEST4968480192.168.2.623.203.176.221
                                        Apr 8, 2025 13:32:31.856535912 CEST4968280192.168.2.623.203.176.221
                                        Apr 8, 2025 13:32:31.856584072 CEST4968380192.168.2.6199.232.214.172
                                        Apr 8, 2025 13:32:31.856615067 CEST4968580192.168.2.623.39.37.29
                                        Apr 8, 2025 13:32:31.950731993 CEST804968523.39.37.29192.168.2.6
                                        Apr 8, 2025 13:32:31.950822115 CEST4968580192.168.2.623.39.37.29
                                        Apr 8, 2025 13:32:31.951360941 CEST8049683199.232.214.172192.168.2.6
                                        Apr 8, 2025 13:32:31.951545000 CEST8049683199.232.214.172192.168.2.6
                                        Apr 8, 2025 13:32:31.951594114 CEST4968380192.168.2.6199.232.214.172
                                        Apr 8, 2025 13:32:31.952001095 CEST804968423.203.176.221192.168.2.6
                                        Apr 8, 2025 13:32:31.952075005 CEST4968480192.168.2.623.203.176.221
                                        Apr 8, 2025 13:32:31.952119112 CEST804968223.203.176.221192.168.2.6
                                        Apr 8, 2025 13:32:31.952159882 CEST4968280192.168.2.623.203.176.221
                                        Apr 8, 2025 13:32:35.135641098 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:32:35.135752916 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:32:50.315818071 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:32:50.316194057 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:33:05.523868084 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:33:05.523973942 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:33:06.405693054 CEST443496812.23.227.215192.168.2.6
                                        Apr 8, 2025 13:33:06.405719042 CEST443496812.23.227.215192.168.2.6
                                        Apr 8, 2025 13:33:06.405966043 CEST49681443192.168.2.62.23.227.215
                                        Apr 8, 2025 13:33:06.559736013 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:33:06.652569056 CEST8049694142.250.80.99192.168.2.6
                                        Apr 8, 2025 13:33:06.652647018 CEST4969480192.168.2.6142.250.80.99
                                        Apr 8, 2025 13:33:21.337060928 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:33:21.337218046 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:33:36.521392107 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:33:36.521477938 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:33:38.669568062 CEST4968680192.168.2.6162.55.60.2
                                        Apr 8, 2025 13:33:38.848614931 CEST8049686162.55.60.2192.168.2.6
                                        Apr 8, 2025 13:33:38.848741055 CEST4968680192.168.2.6162.55.60.2
                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 8, 2025 13:31:48.700417995 CEST5962853192.168.2.61.1.1.1
                                        Apr 8, 2025 13:31:48.978553057 CEST53596281.1.1.1192.168.2.6
                                        Apr 8, 2025 13:32:05.982707024 CEST6231553192.168.2.61.1.1.1
                                        Apr 8, 2025 13:32:06.080605984 CEST53623151.1.1.1192.168.2.6
                                        Apr 8, 2025 13:32:18.623868942 CEST5183453192.168.2.61.1.1.1
                                        Apr 8, 2025 13:32:18.723809004 CEST53518341.1.1.1192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Apr 8, 2025 13:31:48.700417995 CEST192.168.2.61.1.1.10x522fStandard query (0)showip.netA (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:05.982707024 CEST192.168.2.61.1.1.10x40a3Standard query (0)c.pki.googA (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:18.623868942 CEST192.168.2.61.1.1.10x2d7cStandard query (0)c.pki.googA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Apr 8, 2025 13:31:48.978553057 CEST1.1.1.1192.168.2.60x522fNo error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:05.677352905 CEST1.1.1.1192.168.2.60xb100No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:05.677352905 CEST1.1.1.1192.168.2.60xb100No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:06.080605984 CEST1.1.1.1192.168.2.60x40a3No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                        Apr 8, 2025 13:32:06.080605984 CEST1.1.1.1192.168.2.60x40a3No error (0)pki-goog.l.google.com142.250.80.99A (IP address)IN (0x0001)false
                                        Apr 8, 2025 13:32:18.723809004 CEST1.1.1.1192.168.2.60x2d7cNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                        Apr 8, 2025 13:32:18.723809004 CEST1.1.1.1192.168.2.60x2d7cNo error (0)pki-goog.l.google.com142.251.41.3A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • showip.net
                                        • c.pki.goog

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:07:31:46
                                        Start date:08/04/2025
                                        Path:C:\Users\user\Desktop\otq7hhgWfq.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\otq7hhgWfq.exe"
                                        Imagebase:0x7ff644240000
                                        File size:809'000 bytes
                                        MD5 hash:D7EBF3EF787A3FB57A1A0FA793D0B2AB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        File Activities


                                        General

                                        Target ID:1
                                        Start time:07:31:47
                                        Start date:08/04/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0x120000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:07:31:47
                                        Start date:08/04/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0x200000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:07:31:47
                                        Start date:08/04/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                        Imagebase:0xe50000
                                        File size:262'432 bytes
                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000003.00000002.2443490054.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false
                                        Show Windows behavior

                                        File Activities


                                        Disassembly

                                        No disassembly