Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report shipping order#.scr

Overview

General Information

Sample Name:shipping order#.scr (renamed file extension from scr to exe)
Analysis ID:337536
MD5:a916070df947a28ea73074c080189d35
SHA1:2c4215352fecfbd74b596f1125177f54cd010a4b
SHA256:b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
Tags:DEUEndurancegeoNanoCorenVpnRATscr

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • shipping order#.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
    • powershell.exe (PID: 5796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5128 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4944 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6836 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6996 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6948 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 2460 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5136 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 4176 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7124 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • shipping order#.exe (PID: 6648 cmdline: C:\Users\user\Desktop\shipping order#.exe MD5: A916070DF947A28EA73074C080189D35)
    • WerFault.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • shipping order#.exe (PID: 5812 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
    • powershell.exe (PID: 1836 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 2848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6880 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • shipping order#.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 408 cmdline: 'C:\Users\user\Desktop\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • shipping order#.exe (PID: 5700 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' MD5: A916070DF947A28EA73074C080189D35)
  • dhcpmon.exe (PID: 5392 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: A916070DF947A28EA73074C080189D35)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    Process Memory Space: shipping order#.exe PID: 6648Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x151827:$x1: NanoCore.ClientPluginHost
    • 0x151888:$x2: IClientNetworkHost
    • 0x156c8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x164bff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: shipping order#.exe PID: 6648JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.shipping order#.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      22.2.shipping order#.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      22.2.shipping order#.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        22.2.shipping order#.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\shipping order#.exe, ProcessId: 6648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Powershell adding suspicious path to exclusion listShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\shipping order#.exe' , ParentImage: C:\Users\user\Desktop\shipping order#.exe, ParentProcessId: 5884, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force, ProcessId: 5796

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 29%
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeReversingLabs: Detection: 29%
        Multi AV Scanner detection for submitted fileShow sources
        Source: shipping order#.exeReversingLabs: Detection: 29%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: shipping order#.exeJoe Sandbox ML: detected
        Source: shipping order#.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49728 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49772 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49784 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49785 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49787 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49793 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49798 version: TLS 1.0
        Source: shipping order#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: anagement.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.736586979.00000000053A3000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDBF source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDB/ source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: System.Configuration.pdbn source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb6 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: anagement.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb} source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdb"( source: WerFault.exe, 0000001B.00000003.833985645.0000000005661000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: wbemsvc.pdb" source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbO source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdbC source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdbr source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb* source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: w.pdb source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb| source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbs"D source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.737137005.00000000033CE000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbf source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb, source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdbe source: WerFault.exe, 0000001B.00000003.829277162.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb: source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb@ source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb0 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB8 source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.PDB source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp, dhcpmon.exe, 00000022.00000002.1032681111.0000000001432000.00000004.00000020.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdbd source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdbZ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ic.pdb source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbn source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.pdbw source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.736910312.00000000033C3000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001B.00000003.833597720.000000000568D000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order#.exe, 00000000.00000002.1019584885.0000000001621000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: (PWoLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbE%l source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdbh source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: shipping order#.PDB source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDBX source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb9 source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp

        Networking:

        barindex
        Connects to a pastebin service (likely for C&C)Show sources
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 194.5.97.173:10004
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49728 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49772 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49784 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49785 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49787 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.4:49793 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.4:49798 version: TLS 1.0
        Source: unknownDNS traffic detected: queries for: pastebin.com
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: powershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsi7
        Source: powershell.exe, 00000001.00000003.785389643.0000000003543000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: powershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpString found in binary or memory: http://logo.vGs
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: shipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: powershell.exe, 00000003.00000003.881997379.0000000004F9E000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000004.00000003.945556965.0000000005233000.00000004.00000001.sdmpString found in binary or memory: https://go.microd
        Source: shipping order#.exe, 00000015.00000003.1039301625.00000000032B4000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
        Source: shipping order#.exe, 00000000.00000002.1019538863.00000000015EF000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
        Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: shipping order#.exe, 00000000.00000002.1019414297.00000000015BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: shipping order#.exe
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_01945E88 NtSetInformationThread,
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0194D02A NtSetInformationThread,
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EF0B8
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018E0040
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EF988
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_018EED70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_019432C0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335A200
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335EDC8
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033582F0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358AF0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033579B1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335A1EF
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03357073
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335707B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03357053
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335705B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033510B0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570B3
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033570BB
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033550BA
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335709B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033530F0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F33
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F3B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F13
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F1B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358F70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F7B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F5B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033577B1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03357FB1
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356F9B
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03350630
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358EB0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356EF3
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356EFB
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356ED0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03357530
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03353D70
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358D50
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C7E
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C69
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03358CB0
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C9E
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356110
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03356C49
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_033558F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7DAE0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F707C0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7A5D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F75A08
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7AB40
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7A078
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F751E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034BA78
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034DDA8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_0034F610
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F0A3D0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F08B68
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F06838
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F284B8
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396
        Source: shipping order#.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order#.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order#.exe, 00000000.00000002.1019414297.00000000015BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shipping order#.exe
        Source: shipping order#.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@58/24@27/4
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Program Files (x86)\DHCP Monitor
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
        Source: C:\Users\user\Desktop\shipping order#.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{db5d3893-53a7-40c5-9e07-c472ba23289f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5884
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Local\Temp\50bacdd5-1381-4848-995e-cb76453c6468Jump to behavior
        Source: shipping order#.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: shipping order#.exeReversingLabs: Detection: 29%
        Source: C:\Users\user\Desktop\shipping order#.exeFile read: C:\Users\user\Desktop\shipping order#.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order#.exe 'C:\Users\user\Desktop\shipping order#.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Users\user\Desktop\shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: shipping order#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: shipping order#.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: shipping order#.exeStatic file information: File size 2818048 > 1048576
        Source: shipping order#.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x287000
        Source: shipping order#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: anagement.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.736586979.00000000053A3000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDBF source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: shipping order#.PDB/ source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: System.Configuration.pdbn source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb6 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: anagement.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb} source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdb"( source: WerFault.exe, 0000001B.00000003.833985645.0000000005661000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: wbemsvc.pdb" source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbO source: shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: clrjit.pdbC source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ntmarta.pdbr source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdb* source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: w.pdb source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb| source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbs"D source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001B.00000003.737137005.00000000033CE000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbf source: WerFault.exe, 0000001B.00000003.832475642.000000000568C000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb, source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdbe source: WerFault.exe, 0000001B.00000003.829277162.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb: source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb@ source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb0 source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB8 source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.PDB source: shipping order#.exe, 0000001E.00000002.1032422385.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdbE source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Management.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp, dhcpmon.exe, 00000022.00000002.1032681111.0000000001432000.00000004.00000020.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdbd source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdbZ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ic.pdb source: shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbn source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.pdbw source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001B.00000003.736910312.00000000033C3000.00000004.00000001.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001B.00000003.833597720.000000000568D000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order#.exe, 00000000.00000002.1019584885.0000000001621000.00000004.00000020.sdmp, shipping order#.exe, 0000000F.00000002.982403002.0000000000D58000.00000004.00000001.sdmp, dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: (PWoLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbE%l source: shipping order#.exe, 0000000F.00000002.976593035.0000000000D40000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDB source: shipping order#.exe, 0000000F.00000002.924816243.0000000000958000.00000004.00000010.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order#.exe, 00000000.00000002.1019645820.0000000001686000.00000004.00000020.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb@ source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdbh source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: shipping order#.PDB source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp, shipping order#.exe, 0000001C.00000002.1032849705.0000000000B78000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.835071436.0000000005810000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001B.00000003.827603731.000000000581E000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001B.00000003.741556001.00000000033D4000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order#.PDBX source: shipping order#.exe, 00000000.00000002.981736046.00000000012F8000.00000004.00000001.sdmp
        Source: Binary string: combase.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb9 source: WerFault.exe, 0000001B.00000003.832591742.0000000005673000.00000004.00000001.sdmp
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000001B.00000003.829005240.0000000005812000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbf source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001B.00000003.831721235.0000000005671000.00000004.00000001.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000001B.00000003.829502242.0000000005825000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001B.00000003.834642112.000000000581A000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: shipping order#.exe.0.drStatic PE information: real checksum: 0x28adff should be: 0x2b30a7
        Source: shipping order#.exeStatic PE information: real checksum: 0x28adff should be: 0x2b30a7
        Source: dhcpmon.exe.22.drStatic PE information: real checksum: 0x28adff should be: 0x2b30a7
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03352F32 pushad ; retf
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03352F7A pushad ; retf
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335377A pushad ; iretd
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03351F5B push eax; ret
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03352F5A push eax; retf
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_03352F5A pushad ; retf
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335375A push eax; iretd
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_0335379A pushad ; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7B25A push FFFFFF8Bh; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02F7B5EF push FFFFFF8Bh; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00346088 push esp; iretd
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00345C18 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00348D61 push eax; mov dword ptr [esp], ecx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00345718 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F003C9 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F00B80 push eax; mov dword ptr [esp], edx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F03B20 push eax; mov dword ptr [esp], ecx
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_02F26107 pushfd ; ret
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 22.2.shipping order#.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to dropped file
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Users\user\Desktop\shipping order#.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
        Creates autostart registry keys with suspicious namesShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exeJump to behavior
        Creates multiple autostart registry keysShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exeJump to behavior
        Drops PE files to the startup folderShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to dropped file
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exeJump to behavior
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened: C:\Users\user\Desktop\shipping order#.exe:Zone.Identifier read attributes | delete
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: shipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX
        Source: shipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
        Source: C:\Users\user\Desktop\shipping order#.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
        Source: C:\Users\user\Desktop\shipping order#.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\shipping order#.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2828
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2595
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3259
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3301
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1529
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 402
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1110
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1410
        Source: C:\Users\user\Desktop\shipping order#.exeWindow / User API: threadDelayed 4988
        Source: C:\Users\user\Desktop\shipping order#.exeWindow / User API: threadDelayed 3774
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -40000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6312Thread sleep time: -40000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep count: 1529 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7000Thread sleep count: 402 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep count: 96 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1020Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1020Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep count: 1110 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084Thread sleep count: 1410 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep count: 60 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5464Thread sleep time: -2767011611056431s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5464Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5464Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\shipping order#.exe TID: 6824Thread sleep time: -3689348814741908s >= -30000s
        Source: C:\Users\user\Desktop\shipping order#.exe TID: 1904Thread sleep time: -40000s >= -30000s
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Users\user\Desktop\shipping order#.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l'C:\WINDOWS\system32\drivers\vmmouse.sys
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: VMWAREx
        Source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpBinary or memory string: VMware
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: VMWAREeButYesKeyn
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIx
        Source: shipping order#.exe, 00000000.00000002.1019584885.0000000001621000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareKNPLR8C9Win32_VideoController2DR3P3Y6VideoController120060621000000.000000-00031332490display.infMSBDA_NBUH88APCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AA
        Source: dhcpmon.exe, 00000022.00000002.1032681111.0000000001432000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: shipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: QEMUx
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpBinary or memory string: SC:\WINDOWS\system32\drivers\VBoxMouse.sysESOFTWARE\VMware, Inc.\VMware Tools
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l"SOFTWARE\VMware, Inc.\VMware T
        Source: dhcpmon.exe, 00000022.00000002.1021388888.00000000013D4000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareKNPLR8C9Win32_VideoController2DR3P3Y6VideoController120060621000000.000000-00031332490display.infMSBDA_NBUH88APCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024
        Source: dhcpmon.exe, 00000022.00000002.1036181021.00000000015A0000.00000004.00000001.sdmpBinary or memory string: KC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: WerFault.exe, 0000001B.00000002.1042495885.00000000033F9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l&C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: dhcpmon.exe, 00000022.00000002.1029031551.000000000141B000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}bU
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: %l)C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmpBinary or memory string: vmwarex
        Source: shipping order#.exe, 00000000.00000002.1019584885.0000000001621000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\shipping order#.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeCode function: 0_2_01945E88 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,0194CF47,00000000,00000000
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\shipping order#.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\shipping order#.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\shipping order#.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\shipping order#.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\shipping order#.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\shipping order#.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\shipping order#.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\shipping order#.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Adds a directory exclusion to Windows DefenderShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\shipping order#.exeMemory written: C:\Users\user\Desktop\shipping order#.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Users\user\Desktop\shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order#.exeProcess created: unknown unknown
        Source: shipping order#.exe, 00000000.00000002.1020347396.0000000001CF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: shipping order#.exe, 00000000.00000002.1020347396.0000000001CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: shipping order#.exe, 00000000.00000002.1020347396.0000000001CF0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: shipping order#.exe, 00000000.00000002.1020347396.0000000001CF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Users\user\Desktop\shipping order#.exe VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Users\user\Desktop\shipping order#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: shipping order#.exe, 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order#.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 22.2.shipping order#.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation11Startup Items1Startup Items1Disable or Modify Tools11Input Capture1File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder421Process Injection112Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder421Obfuscated Files or Information1Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSecurity Software Discovery531Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion25SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion25Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol2Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337536 Sample: shipping order#.scr Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 62 pastebin.com 2->62 64 1.ispnano.dns-cloud.net 2->64 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Sigma detected: Powershell adding suspicious path to exclusion list 2->78 80 14 other signatures 2->80 8 shipping order#.exe 24 6 2->8         started        13 shipping order#.exe 2->13         started        15 shipping order#.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 70 pastebin.com 104.23.98.190, 443, 49728, 49785 CLOUDFLARENETUS United States 8->70 58 C:\Users\user\AppData\...\shipping order#.exe, PE32 8->58 dropped 60 C:\...\shipping order#.exe:Zone.Identifier, ASCII 8->60 dropped 84 Creates an undocumented autostart registry key 8->84 86 Creates autostart registry keys with suspicious names 8->86 88 Creates multiple autostart registry keys 8->88 90 Injects a PE file into a foreign processes 8->90 19 shipping order#.exe 8->19         started        24 cmd.exe 1 8->24         started        26 cmd.exe 8->26         started        32 6 other processes 8->32 72 104.23.99.190, 443, 49772, 49784 CLOUDFLARENETUS United States 13->72 92 Adds a directory exclusion to Windows Defender 13->92 94 Hides threads from debuggers 13->94 28 powershell.exe 13->28         started        30 powershell.exe 13->30         started        file6 signatures7 process8 dnsIp9 66 1.ispnano.dns-cloud.net 194.5.97.173, 10004, 49739, 49745 DANILENKODE Netherlands 19->66 68 192.168.2.1 unknown unknown 19->68 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->56 dropped 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->82 34 conhost.exe 24->34         started        36 timeout.exe 1 24->36         started        38 conhost.exe 26->38         started        40 timeout.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        48 conhost.exe 32->48         started        50 3 other processes 32->50 file10 signatures11 process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        shipping order#.exe30%ReversingLabsWin32.Trojan.Wacatac
        shipping order#.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe30%ReversingLabsWin32.Trojan.Wacatac
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe30%ReversingLabsWin32.Trojan.Wacatac

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        22.2.shipping order#.exe.400000.0.unpack100%AviraHEUR/AGEN.1108376Download File

        Domains

        SourceDetectionScannerLabelLink
        1.ispnano.dns-cloud.net1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        http://logo.vGs0%Avira URL Cloudsafe
        https://go.microd0%Avira URL Cloudsafe
        http://crl.globalsi70%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        1.ispnano.dns-cloud.net
        		194.5.97.173
        		truefalseunknown
        pastebin.com
        		104.23.98.190
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 00000003.00000003.881997379.0000000004F9E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                      		high
                      https://pastebin.com/raw/W63zsRavshipping order#.exe, 00000015.00000003.1039301625.00000000032B4000.00000004.00000001.sdmpfalse
                        		high
                        http://logo.vGspowershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                            		high
                            https://go.microdpowershell.exe, 00000004.00000003.945556965.0000000005233000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameshipping order#.exe, 00000000.00000003.657555811.00000000033E8000.00000004.00000001.sdmp, shipping order#.exe, 0000000F.00000003.813659881.00000000029D4000.00000004.00000001.sdmp, shipping order#.exe, 00000015.00000003.910702496.0000000002CE5000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crl.globalsi7powershell.exe, 00000025.00000003.844054876.0000000007D63000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000001B.00000003.809038386.00000000059D0000.00000004.00000001.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.23.99.190
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        194.5.97.173
                                        		unknownNetherlands
                                        		208476DANILENKODEfalse
                                        104.23.98.190
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:31.0.0 Red Diamond
                                        Analysis ID:337536
                                        Start date:08.01.2021
                                        Start time:18:27:13
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 17m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:shipping order#.scr (renamed file extension from scr to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:40
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.adwa.evad.winEXE@58/24@27/4
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 51.11.168.160, 168.61.161.212, 52.255.188.83, 93.184.221.240, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.144.132, 40.126.1.130, 40.126.1.166, 20.190.129.24, 20.190.129.130, 40.126.1.128, 20.190.129.2, 40.126.1.145, 20.190.129.19, 104.43.139.144
                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:28:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\shipping order#.exe
                                        18:28:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
                                        18:28:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\shipping order#.exe
                                        18:28:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run shipping order#.exe C:\Users\user\Desktop\shipping order#.exe
                                        18:28:40AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe
                                        18:28:41API Interceptor753x Sleep call for process: shipping order#.exe modified
                                        18:28:54AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        18:29:12API Interceptor159x Sleep call for process: powershell.exe modified
                                        18:30:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        18:30:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        18:30:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dhcpmon.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        104.23.99.1907fYoHeaCBG.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        r0QRptqiCl.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        JDgYMW0LHW.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        kigAlmMyB1.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        afvhKak0Ir.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        1KITgJnGbI.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        DovV3LuJ6I.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        66f8F6WvC1.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        PxwWcmbMC5.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        XnAJZR4NcN.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        uqXsQvWMnL.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        I8r7e1pqac.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        VrR9J0FnSG.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        dEpoPWHmoI.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        zZp3oXclum.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        aTZQZVVriQ.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        U23peRXm5Z.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        eXP2pYucWu.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0
                                        L6UBlWyCpV.exeGet hashmaliciousBrowse
                                        • pastebin.com/raw/XMKKNkb0

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        pastebin.com0IO1Or2045.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        OVl2ydWZDbGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        PO20002106.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        eTrader-0.1.0.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        eTrader-0.1.0.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        Ema.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        TOP URGENT RFQ 2021 Anson Yang.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        sample details.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        zrr4Nw19.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        TF5wEGc1Fp.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        image002933894HF8474H038RHF7.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        IMG-PO-SCAN-DOCUMENTS-00HDU12.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        ZdCDLe85.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        IMAGE-SCAN-DOCUMENTS-002D.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        NEW ORDER.pdf.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        KnXebI2hpX.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        httpscdndiscordappcomattachments785319022966997035791667564027052052aGBWK3jv8vMhTU3.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        sz.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        Confirmation Copy RefNo-MT102.exeGet hashmaliciousBrowse
                                        • 104.23.99.190

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        DANILENKODEBL,IN&PL.exeGet hashmaliciousBrowse
                                        • 194.5.97.206
                                        New PO.exeGet hashmaliciousBrowse
                                        • 194.5.98.32
                                        Order Inquiry.exeGet hashmaliciousBrowse
                                        • 194.5.97.235
                                        IMG 01-06-2021 93899283.exeGet hashmaliciousBrowse
                                        • 194.5.97.177
                                        SWIFT345343445pdf.exeGet hashmaliciousBrowse
                                        • 194.5.97.164
                                        DHL1.exeGet hashmaliciousBrowse
                                        • 194.5.98.145
                                        Original BL_pdf.exeGet hashmaliciousBrowse
                                        • 194.5.97.107
                                        AWB & CI_pdf.exeGet hashmaliciousBrowse
                                        • 194.5.97.107
                                        File.exeGet hashmaliciousBrowse
                                        • 194.5.98.108
                                        New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                        • 194.5.98.215
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        Shiping Doc BL.exeGet hashmaliciousBrowse
                                        • 194.5.98.157
                                        INV_2021354783263530001.exeGet hashmaliciousBrowse
                                        • 194.5.98.211
                                        SWB copy.exeGet hashmaliciousBrowse
                                        • 194.5.98.108
                                        DHL FI.exeGet hashmaliciousBrowse
                                        • 194.5.98.145
                                        DHL DETAILS.exeGet hashmaliciousBrowse
                                        • 194.5.98.145
                                        CLOUDFLARENETUS0939489392303224233.exeGet hashmaliciousBrowse
                                        • 162.159.128.233
                                        KeyMaker.exeGet hashmaliciousBrowse
                                        • 1.0.0.0
                                        b12d7feb3507461a.exeGet hashmaliciousBrowse
                                        • 162.159.138.232
                                        ARCH_2021.docGet hashmaliciousBrowse
                                        • 172.67.141.14
                                        SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exeGet hashmaliciousBrowse
                                        • 162.159.137.232
                                        0IO1Or2045.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        y46XVvLaVc.exeGet hashmaliciousBrowse
                                        • 172.67.166.210
                                        FTH2004-005.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        inv.exeGet hashmaliciousBrowse
                                        • 104.27.152.121
                                        promotion.exeGet hashmaliciousBrowse
                                        • 104.27.201.87
                                        ul9kpUwYel.xlsGet hashmaliciousBrowse
                                        • 104.22.1.232
                                        F6D24k8j9o.exeGet hashmaliciousBrowse
                                        • 104.28.5.151
                                        36.exeGet hashmaliciousBrowse
                                        • 104.28.8.109
                                        IKWSLxGlrQ.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        https://bit.ly/35cYpiTGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        https://new-fax-messages.mydopweb.com/Get hashmaliciousBrowse
                                        • 104.16.18.94
                                        https://www.food4rhino.com/app/humanGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                                        • 104.24.113.40
                                        https://www.food4rhino.com/app/elefrontGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        INFO.docGet hashmaliciousBrowse
                                        • 104.18.61.59
                                        CLOUDFLARENETUS0939489392303224233.exeGet hashmaliciousBrowse
                                        • 162.159.128.233
                                        KeyMaker.exeGet hashmaliciousBrowse
                                        • 1.0.0.0
                                        b12d7feb3507461a.exeGet hashmaliciousBrowse
                                        • 162.159.138.232
                                        ARCH_2021.docGet hashmaliciousBrowse
                                        • 172.67.141.14
                                        SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exeGet hashmaliciousBrowse
                                        • 162.159.137.232
                                        0IO1Or2045.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        y46XVvLaVc.exeGet hashmaliciousBrowse
                                        • 172.67.166.210
                                        FTH2004-005.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        inv.exeGet hashmaliciousBrowse
                                        • 104.27.152.121
                                        promotion.exeGet hashmaliciousBrowse
                                        • 104.27.201.87
                                        ul9kpUwYel.xlsGet hashmaliciousBrowse
                                        • 104.22.1.232
                                        F6D24k8j9o.exeGet hashmaliciousBrowse
                                        • 104.28.5.151
                                        36.exeGet hashmaliciousBrowse
                                        • 104.28.8.109
                                        IKWSLxGlrQ.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        https://bit.ly/35cYpiTGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        https://new-fax-messages.mydopweb.com/Get hashmaliciousBrowse
                                        • 104.16.18.94
                                        https://www.food4rhino.com/app/humanGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                                        • 104.24.113.40
                                        https://www.food4rhino.com/app/elefrontGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        INFO.docGet hashmaliciousBrowse
                                        • 104.18.61.59

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adF6D24k8j9o.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        umOXxQ9PFS.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        IKWSLxGlrQ.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Softerra Adaxes 2011.3.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        DSj7ak0N6I.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        3AD78RVleO.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        rFUaUAKfPi.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        QWP-0716.xls.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        invoice-ID3626307348012.vbsGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        xPcTV1mh3w.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        SecuriteInfo.com.Trojan.GenericKD.36004001.8844.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Manager[1].exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        PO20002106.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Payment Documents.xlsGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        QPI-01458.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        LITmNphcCA.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Ema.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Setup_6953.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190
                                        Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        • 104.23.99.190

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Process:C:\Users\user\Desktop\shipping order#.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):2818048
                                        Entropy (8bit):3.8180432062188556
                                        Encrypted:false
                                        SSDEEP:24576:D+zmQLwh3i3PO/o1U6kUnu6l+4RcblO7O0uX7JgINl9jnxjdNBGqwe:KY3i3POEFWZ0kJfh4e
                                        MD5:A916070DF947A28EA73074C080189D35
                                        SHA1:2C4215352FECFBD74B596F1125177F54CD010A4B
                                        SHA-256:B657538BF8BC1ACA7CA8E7E02F1C5A39CBC8BC343BF7C5EBFE026F6DCC02FE32
                                        SHA-512:3D5B554C97D6A093F6CE94B8C5D681438F5F4B74DF391468E8ADF36A7AB2B599B0EE49DCF7C57FB9AAB03509D3F6A07747D94E05929EAAF627AA18D170ABFC4E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 30%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*._.................p(...........(.. ....(...@.. .......................`+.......(...@.................................<.(.O.....(.............t(......@+...................................................... ............... ..H............text....o(.. ...p(................. ..`.rsrc........(......r(.............@..@.reloc.......@+.......*.............@..B................p.(.....H.............'.....|....................................................*.r...p.....r...p.....r...p.....s.........s}........*6.~....o....&**....(....*~~....:....(....s(........~....*. ....*2r..!p.(....*2r.!p.(....*2r..!p.(....*2r&.!p.(....*2rD.!p.(....*2rx.!p.(....*2r..!p.(....*2r.!p.(....*..%...(....*~~....:....([...s(........~....*.....90...(....9........r .!p....(-...(%...*........(....*....*2r..!p.(....*2r.!p.(....*2r.!p.(....*2r..!p.(....*2r..!p.(....*2r2.!p.(....*2
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\shipping order#.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DEE.tmp.WERInternalMetadata.xml
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):8446
                                        Entropy (8bit):3.6972961175464687
                                        Encrypted:false
                                        SSDEEP:192:Rrl7r3GLNiHS6r6YreSUMdQDgmfZMSR+prE89b0gsf0cYcm:RrlsNiy6r6YiSUMdQDgmfeSU0zf/C
                                        MD5:A0BEA0FAF8565FF7214B619B29C01B18
                                        SHA1:DA8B2DA5D9EF299A4BDED31783623B710E19B76E
                                        SHA-256:AD60AF38E7250AF54CF9B71921C1027BC7E2676EB232EB31513E88541E071D80
                                        SHA-512:86D6B867CAE0D7BE5045AF04369954D53944AA2DD7CEE5446D72622782175A8379B80FEF6C06FDFEB27CB9400AE11E67A81AAE704F12790171459BA2DD508A0F
                                        Malicious:false
                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.8.4.<./.P.i.d.>.......
                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3D9.tmp.xml
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):4733
                                        Entropy (8bit):4.471986333355066
                                        Encrypted:false
                                        SSDEEP:48:cvIwSD8zsyJgtWI9YWWSC8BE8fm8M4J7o5VFFiP+q8vV5VWtigGwtUBU5d:uITfAb3SN/JC8PK3M8K5d
                                        MD5:82A0B5CCAF7F4CD4E6DCC88F578897BB
                                        SHA1:34D4E7FF71C1E3F075211F17A21BE8C5DAB7DF81
                                        SHA-256:4A1B007851B2E84B9422959F8741016F5C34A04BD3FF4366500B2B21BD5DEFEE
                                        SHA-512:2C11A592CC8B7C616D12137A7D1D09A7EFA0819F2F1822AC25F10ACF4A36BCD98DE0DD6C0F6726010CD65D4A98A82F1E37A25CEA9EA79E5F9AEBD0C1175E6BB8
                                        Malicious:false
                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="808000" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDF.tmp.dmp
                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                        File Type:Mini DuMP crash report, 15 streams, Fri Jan 8 17:29:22 2021, 0x1205a4 type
                                        Category:dropped
                                        Size (bytes):333257
                                        Entropy (8bit):3.7424784924409673
                                        Encrypted:false
                                        SSDEEP:3072:bz+UvrX0gpjd+p31HIaOZYee8Hq9gIOgF5Wo/0WtUCgUaSvpb1qDXFJj:bK0X0geppqK9RpDWu1tTjDOJj
                                        MD5:84FB07A24E4790983A5FB88400CF1A93
                                        SHA1:3DD6827693BAB8D6576E602BBBC039652A3DDA66
                                        SHA-256:615101E8378ED1B6BCED34E4D2503838EA67410651E85663ABF1D6DB8FB1C18F
                                        SHA-512:77E72261DABA22EBB5CF4C84B2AAC3BAEBDEDA8F193E553C201CE901F64F04E5C27E07D77B479D84FB208E8B84A4873A4392A2AD23E92C1A1B841CFC00B666E5
                                        Malicious:false
                                        Preview: MDMP....... .......r.._...................U...........B.......1......GenuineIntelW...........T.............._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):698
                                        Entropy (8bit):5.068223855918045
                                        Encrypted:false
                                        SSDEEP:12:reMPyMYx2Y5BYtmWNUc5AtYX5E4a2KyrNpyMYGH+ptsxptsOtw9O9S8:reKyMGF5ytmLcetYX5E2KyPyMb+zsxzN
                                        MD5:684C50BD02AF31C87EA2FE17C2AF71CE
                                        SHA1:930B39970E6AF00CD0C1E203478D25848D4CEB4C
                                        SHA-256:A68A09639C8190A5710DF0DF0693BBADB11F453197BF44339382B813CA048EA2
                                        SHA-512:B919F1A138A2F1BD67734FA5CBC0EED6C54D12C25835097E2F1753F44A300E6F2BE0250A85BCC5FD606E329BDA42DB2329BF7826E93EAED47C68CD6213D9CF83
                                        Malicious:false
                                        Preview: PSMODULECACHE.............a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..........C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brge2zcm.hwd.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czsau0n1.mqj.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e04p2qly.o2t.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fraa5aiu.gcp.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_harhvbow.ned.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pilnwesf.xu0.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2khrpam.ug2.ps1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yf4s2bry.3jw.psm1
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\shipping order#.exe
                                        File Type:ISO-8859 text, with no line terminators
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:4zu:r
                                        MD5:13AFD6B42F94B15B991447EC048184D4
                                        SHA1:EC207DE4EE368BE199302725DE3A7B1D1948AAAB
                                        SHA-256:62E4FE80D7F5FD8715432E7CF2432CFF6E4550B043D78016E4054F8AA40B3BB1
                                        SHA-512:54C232BB4B6C525254767760E3FE355518565D5CB428F6C849F64AD0A4757722A7AA36E6D612FAADCE1C9AF7BB69CA83C99C8634B41091176C3181208E7F92BA
                                        Malicious:true
                                        Preview: .......H
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe
                                        Process:C:\Users\user\Desktop\shipping order#.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):2818048
                                        Entropy (8bit):3.8180432062188556
                                        Encrypted:false
                                        SSDEEP:24576:D+zmQLwh3i3PO/o1U6kUnu6l+4RcblO7O0uX7JgINl9jnxjdNBGqwe:KY3i3POEFWZ0kJfh4e
                                        MD5:A916070DF947A28EA73074C080189D35
                                        SHA1:2C4215352FECFBD74B596F1125177F54CD010A4B
                                        SHA-256:B657538BF8BC1ACA7CA8E7E02F1C5A39CBC8BC343BF7C5EBFE026F6DCC02FE32
                                        SHA-512:3D5B554C97D6A093F6CE94B8C5D681438F5F4B74DF391468E8ADF36A7AB2B599B0EE49DCF7C57FB9AAB03509D3F6A07747D94E05929EAAF627AA18D170ABFC4E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 30%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*._.................p(...........(.. ....(...@.. .......................`+.......(...@.................................<.(.O.....(.............t(......@+...................................................... ............... ..H............text....o(.. ...p(................. ..`.rsrc........(......r(.............@..@.reloc.......@+.......*.............@..B................p.(.....H.............'.....|....................................................*.r...p.....r...p.....r...p.....s.........s}........*6.~....o....&**....(....*~~....:....(....s(........~....*. ....*2r..!p.(....*2r.!p.(....*2r..!p.(....*2r&.!p.(....*2rD.!p.(....*2rx.!p.(....*2r..!p.(....*2r.!p.(....*..%...(....*~~....:....([...s(........~....*.....90...(....9........r .!p....(-...(%...*........(....*....*2r..!p.(....*2r.!p.(....*2r.!p.(....*2r..!p.(....*2r..!p.(....*2r2.!p.(....*2
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\shipping order#.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\Documents\20210108\PowerShell_transcript.701188.Laubqkk7.20210108182807.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.31514815011842
                                        Encrypted:false
                                        SSDEEP:24:BxSAJ7vBZRJNzx2DOXUWeSuamuVM52WMHjeTKKjX4CIym1ZJXLduamuVM5a:BZFvjTZoO+SGuaxMqDYB1ZhdGuaa
                                        MD5:85C3FC216E604D6B70C5FC72D0822EBA
                                        SHA1:66D0F3A14FD0AAB7DA5490E8DF26EC857513B590
                                        SHA-256:BF4747B169A4C9628AD16514F6226751AF0B95835642039BE075425E4492208D
                                        SHA-512:D49605C11AB2565DBBB0D0872D5C6AB3D454BF3C69C8F7B9D0C0977FB37BF81EE5E4AA1BF8F43C787649487CAF3979C7EA8D1EA57B9CDDED452FDDB4C0B89D45
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108182839..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 701188 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..Process ID: 5128..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108182839..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..
                                        C:\Users\user\Documents\20210108\PowerShell_transcript.701188.ONgqdUkt.20210108182809.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):854
                                        Entropy (8bit):5.295052882573072
                                        Encrypted:false
                                        SSDEEP:24:BxSAp7vBZRJNzx2DOXUWeSuaq2WZ3HjeTKKjX4CIym1ZJXJFuaqa:BZlvjTZoO+SKxZ3qDYB1ZbFKa
                                        MD5:D3D23BDEB4FAF32D392FF68964B083A2
                                        SHA1:BE69E101BFB81A2BC3E236257B0FB70F5A9074EC
                                        SHA-256:8D793883D177D66F26A6104CD1C4F4C11A9CE0D52A973A6C52798D5ACFD2A204
                                        SHA-512:12952AC76FC6B49C9F63C337A72A1BFC2DE9904CF7D1A1F32EC87579F8400C4A1C9989F5C809EB973A5B3B608F430DDFD84296C594D1919169A2D516DAC714E4
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108182848..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 701188 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\shipping order#.exe -Force..Process ID: 6836..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108182851..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\shipping order#.exe -Force..
                                        C:\Users\user\Documents\20210108\PowerShell_transcript.701188.nGv+RGBh.20210108182808.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.313331889731213
                                        Encrypted:false
                                        SSDEEP:24:BxSAs7vBZRJNzx2DOXUWeSuamuVM52WNHjeTKKjX4CIym1ZJX2uamuVM5a:BZqvjTZoO+SGuaxNqDYB1ZsGuaa
                                        MD5:3DE15C085E769AA01B1A201BAE5C465F
                                        SHA1:B236DB49D392ACC323ABA55E5EDCD72B77281519
                                        SHA-256:3BE51DEAACE729D430113C7F776200060DEAE5B640EF686D6FF950311E3676AA
                                        SHA-512:F0D862703E139FFF831530AF5E4FD637C3CF351AFC1055A9817CE41C30E908E9E049DBE7E76C79C567266AB1EEB998EFFF8E769CDBE8C9AB30C174ABBB37F490
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108182847..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 701188 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..Process ID: 4944..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108182847..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..
                                        C:\Users\user\Documents\20210108\PowerShell_transcript.701188.tt6CRrQ7.20210108182806.txt
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.319360174397925
                                        Encrypted:false
                                        SSDEEP:24:BxSAM7vBZRJNzx2DOXUWeSuamuVM52W9HjeTKKjX4CIym1ZJXWuamuVM5a:BZKvjTZoO+SGuax9qDYB1ZQGuaa
                                        MD5:BC0A8E8EED11BE498F474112A53D9537
                                        SHA1:A101FA3A0C1D2DEC525760A7F44BE5FC97AE1DBE
                                        SHA-256:1B8269998180214C2D74A8D6F432D63C7646B1D3046CCC96496FA186DF473838
                                        SHA-512:52FDB1297269B0113477030F9A4DCD710D495199A4141B56968BB9D8EF8DA663ACD67F4370D8E5759344D9B09A60C9A3BA5F15F84D510A089B3CE0EF0EC05A0D
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210108182836..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 701188 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..Process ID: 5796..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210108182836..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe -Force..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):3.8180432062188556
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:shipping order#.exe
                                        File size:2818048
                                        MD5:a916070df947a28ea73074c080189d35
                                        SHA1:2c4215352fecfbd74b596f1125177f54cd010a4b
                                        SHA256:b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
                                        SHA512:3d5b554c97d6a093f6ce94b8c5d681438f5f4b74df391468e8adf36a7ab2b599b0ee49dcf7c57fb9aab03509d3f6a07747d94e05929eaaf627aa18d170abfc4e
                                        SSDEEP:24576:D+zmQLwh3i3PO/o1U6kUnu6l+4RcblO7O0uX7JgINl9jnxjdNBGqwe:KY3i3POEFWZ0kJfh4e
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*._.................p(...........(.. ....(...@.. .......................`+.......(...@................................

                                        File Icon

                                        Icon Hash:07d8d8d4d4d85026

                                        Static PE Info

                                        General

                                        Entrypoint:0x688f8e
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x5FF82A12 [Fri Jan 8 09:46:58 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:
                                        Signature Issuer:
                                        Signature Validation Error:
                                        Error Number:
                                        Not Before, Not After
                                          Subject Chain
                                            Version:
                                            Thumbprint MD5:
                                            Thumbprint SHA-1:
                                            Thumbprint SHA-256:
                                            Serial:

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x288f3c0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x28a0000x28adc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x2874000x15a0.text
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b40000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x286f940x287000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x28a0000x28adc0x28c00False0.0469049559049Macintosh MFS data (locked) created: Mon Apr 24 18:35:32 2017, last backup: Mon May 29 23:14:11 1995, block size: 2110829513, number of blocks: 17063, volume name: \246\3302.9711901807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x2b40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x28a2680xc35PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                            RT_ICON0x28aea00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4280119364, next used block 4280119364
                                            RT_ICON0x29b6c80x94a8data
                                            RT_ICON0x2a4b700x5488data
                                            RT_ICON0x2a9ff80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x2ae2200x25a8data
                                            RT_ICON0x2b07c80x10a8data
                                            RT_ICON0x2b18700x988data
                                            RT_ICON0x2b21f80x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0x2b26600x84data
                                            RT_VERSION0x2b26e40x3f8dataEnglishUnited States

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            LegalCopyrightMicrosoft Corp. All rights reserved.
                                            FileVersion2011.110.2809.27
                                            CompanyNameMicrosoft Corporation
                                            LegalTrademarksMicrosoft SQL Server is a registered trademark of Microsoft Corporation.
                                            CommentsSQL
                                            ProductNameMicrosoft SQL Server
                                            ProductVersion11.0.2809.27
                                            FileDescriptionSQL External minidumper
                                            Guid4c600aad-49bf-420d-b1b2-61d4bf3fb135
                                            Translation0x0000 0x04e4

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 8, 2021 18:28:09.279190063 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.320250034 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.321468115 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.362423897 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.403578997 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.406205893 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.406260967 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.406292915 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.407135963 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.412537098 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.455337048 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.456012964 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.499023914 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:09.539196014 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.552113056 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.552156925 CET44349728104.23.98.190192.168.2.4
                                            Jan 8, 2021 18:28:09.552329063 CET49728443192.168.2.4104.23.98.190
                                            Jan 8, 2021 18:28:45.569504023 CET4973910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:45.618786097 CET1000449739194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:46.125101089 CET4973910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:46.174438000 CET1000449739194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:46.687581062 CET4973910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:46.736856937 CET1000449739194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:52.411062956 CET4974510004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:52.461215019 CET1000449745194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:53.109863997 CET4974510004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:53.159204960 CET1000449745194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:53.738729000 CET4974510004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:53.788064957 CET1000449745194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:28:59.413294077 CET4975410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:28:59.462886095 CET1000449754194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:00.110843897 CET4975410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:00.160305977 CET1000449754194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:00.798029900 CET4975410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:00.847595930 CET1000449754194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:10.805627108 CET4975910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:10.855285883 CET1000449759194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:11.361377001 CET4975910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:11.410864115 CET1000449759194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:11.923930883 CET4975910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:13.954814911 CET1000449759194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:18.315542936 CET4976710004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:18.364805937 CET1000449767194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:18.877727032 CET4976710004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:18.927046061 CET1000449767194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:19.440170050 CET4976710004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:19.490469933 CET1000449767194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:28.776222944 CET4977010004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:28.825845957 CET1000449770194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:29.331721067 CET4977010004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:29.381279945 CET1000449770194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:29.894196987 CET4977010004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:29.943869114 CET1000449770194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:34.178714037 CET4977110004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:34.228147030 CET1000449771194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:34.738337994 CET4977110004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:34.789946079 CET1000449771194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:35.300869942 CET4977110004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:35.350395918 CET1000449771194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:37.005249023 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.045504093 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.045658112 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.273112059 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.313086987 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.316292048 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.316313982 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.316323996 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.316410065 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.321706057 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.361747980 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.361929893 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.410406113 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.484163046 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:37.524144888 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.535754919 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.535774946 CET44349772104.23.99.190192.168.2.4
                                            Jan 8, 2021 18:29:37.535923958 CET49772443192.168.2.4104.23.99.190
                                            Jan 8, 2021 18:29:42.532982111 CET4977410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:42.582350969 CET1000449774194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:43.082772017 CET4977410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:43.133642912 CET1000449774194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:43.645303011 CET4977410004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:43.694761038 CET1000449774194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:50.897908926 CET4977610004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:50.947325945 CET1000449776194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:51.458544016 CET4977610004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:51.507946014 CET1000449776194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:52.021028042 CET4977610004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:52.070400953 CET1000449776194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:59.162651062 CET4977910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:59.211925030 CET1000449779194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:29:59.724776030 CET4977910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:29:59.774046898 CET1000449779194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:30:00.287364960 CET4977910004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:30:00.336741924 CET1000449779194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:30:09.765389919 CET4978010004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:30:09.814692020 CET1000449780194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:30:10.319847107 CET4978010004192.168.2.4194.5.97.173
                                            Jan 8, 2021 18:30:10.370201111 CET1000449780194.5.97.173192.168.2.4
                                            Jan 8, 2021 18:30:10.932128906 CET4978010004192.168.2.4194.5.97.173

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 8, 2021 18:28:03.163474083 CET4971453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:03.214591980 CET53497148.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:04.288980961 CET5802853192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:04.336911917 CET53580288.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:05.430877924 CET5309753192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:05.478806019 CET53530978.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:09.182218075 CET4925753192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:09.241352081 CET53492578.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:20.362673044 CET6238953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:20.414274931 CET53623898.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:39.259988070 CET4991053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:39.307970047 CET53499108.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:40.389254093 CET5585453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:40.437110901 CET53558548.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:41.574131012 CET6454953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:41.622072935 CET53645498.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:42.536215067 CET6315353192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:42.584234953 CET53631538.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:42.894756079 CET5299153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:42.951260090 CET53529918.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:43.436304092 CET5370053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:43.484148979 CET53537008.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:44.710547924 CET5172653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:44.759284973 CET53517268.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:45.472358942 CET5679453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:45.531147003 CET53567948.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:45.629201889 CET5653453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:45.677192926 CET53565348.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:46.523212910 CET5662753192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:46.575221062 CET53566278.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:47.326358080 CET5662153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:47.377506018 CET53566218.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:48.163100958 CET6311653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:48.211038113 CET53631168.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:51.745104074 CET6407853192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:51.795805931 CET53640788.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:52.290245056 CET6480153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:52.354598045 CET53648018.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:53.013287067 CET6172153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:53.061291933 CET53617218.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:53.892571926 CET5125553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:53.943299055 CET53512558.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:54.863235950 CET6152253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:54.950402021 CET53615228.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:55.505544901 CET5233753192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:55.553472042 CET53523378.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:56.052324057 CET5504653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:56.116507053 CET53550468.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:56.476608038 CET4961253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:56.523276091 CET4928553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:56.532810926 CET53496128.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:56.579338074 CET53492858.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:57.673465967 CET5060153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:57.724289894 CET53506018.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:59.313375950 CET6087553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:59.374864101 CET53608758.8.8.8192.168.2.4
                                            Jan 8, 2021 18:28:59.512973070 CET5644853192.168.2.48.8.8.8
                                            Jan 8, 2021 18:28:59.569612026 CET53564488.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:01.338078022 CET5917253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:01.443854094 CET53591728.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:03.978924990 CET6242053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:04.035427094 CET53624208.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:07.487880945 CET6057953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:07.546094894 CET53605798.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:10.748450041 CET5018353192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:10.804574966 CET53501838.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:10.995482922 CET6153153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:11.046228886 CET53615318.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:11.463151932 CET4922853192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:11.523710012 CET53492288.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:13.144999981 CET5979453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:14.174741030 CET5979453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:14.231101990 CET53597948.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:18.203933954 CET5591653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:18.260675907 CET53559168.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:20.372546911 CET5275253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:20.431698084 CET53527528.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:21.702075005 CET6054253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:21.761449099 CET53605428.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:28.635936975 CET6068953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:28.694567919 CET53606898.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:34.121220112 CET6420653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:34.177614927 CET53642068.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:36.863101006 CET5090453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:36.919483900 CET53509048.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:39.035324097 CET5752553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:39.083435059 CET53575258.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:42.371758938 CET5381453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:42.428167105 CET53538148.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:43.402868986 CET5341853192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:43.474981070 CET53534188.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:49.928546906 CET6283353192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:49.984771967 CET53628338.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:53.252557993 CET5926053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:53.313792944 CET53592608.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:53.775106907 CET4994453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:53.822890043 CET53499448.8.8.8192.168.2.4
                                            Jan 8, 2021 18:29:58.927599907 CET6330053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:29:58.986083984 CET53633008.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:09.644856930 CET6144953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:09.701236010 CET53614498.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:15.811732054 CET5127553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:15.868063927 CET53512758.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:24.476016045 CET6349253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:24.535446882 CET53634928.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:24.763263941 CET5894553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:24.811640978 CET53589458.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:25.057379961 CET6077953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:25.113856077 CET53607798.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:26.623346090 CET6401453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:26.684256077 CET53640148.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:30.146119118 CET5709153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:30.203305960 CET53570918.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:34.101454973 CET5590453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:34.161103964 CET53559048.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:35.886343956 CET5210953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:35.942862988 CET53521098.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:41.625237942 CET5445053192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:41.681348085 CET53544508.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:45.834404945 CET4937453192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:45.885118961 CET53493748.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:46.382834911 CET5043653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:46.430803061 CET53504368.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:47.083993912 CET6260553192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:47.140379906 CET53626058.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:48.340528011 CET5425653192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:48.388509989 CET53542568.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:51.114455938 CET5218953192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:51.162751913 CET53521898.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:52.539551020 CET5613153192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:52.587620974 CET53561318.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:55.847292900 CET6299253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:55.895030022 CET53629928.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:58.642716885 CET5443253192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:58.701703072 CET53544328.8.8.8192.168.2.4
                                            Jan 8, 2021 18:30:59.445573092 CET5722753192.168.2.48.8.8.8
                                            Jan 8, 2021 18:30:59.496325016 CET53572278.8.8.8192.168.2.4
                                            Jan 8, 2021 18:31:04.066267967 CET5838353192.168.2.48.8.8.8
                                            Jan 8, 2021 18:31:04.125413895 CET53583838.8.8.8192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 8, 2021 18:28:09.182218075 CET192.168.2.48.8.8.80xd2b7Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:45.472358942 CET192.168.2.48.8.8.80x6036Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:52.290245056 CET192.168.2.48.8.8.80x7ee5Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:59.313375950 CET192.168.2.48.8.8.80xb1d8Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:10.748450041 CET192.168.2.48.8.8.80xb08fStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:18.203933954 CET192.168.2.48.8.8.80x10e7Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:28.635936975 CET192.168.2.48.8.8.80x2c6dStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:34.121220112 CET192.168.2.48.8.8.80x43abStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:36.863101006 CET192.168.2.48.8.8.80x35dfStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:42.371758938 CET192.168.2.48.8.8.80x7bc2Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:49.928546906 CET192.168.2.48.8.8.80x451fStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:58.927599907 CET192.168.2.48.8.8.80x27bcStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:09.644856930 CET192.168.2.48.8.8.80x2c86Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:15.811732054 CET192.168.2.48.8.8.80x85baStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:24.476016045 CET192.168.2.48.8.8.80x4a77Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:25.057379961 CET192.168.2.48.8.8.80xc184Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:26.623346090 CET192.168.2.48.8.8.80x4fStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:30.146119118 CET192.168.2.48.8.8.80x241dStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:34.101454973 CET192.168.2.48.8.8.80x1b2aStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:35.886343956 CET192.168.2.48.8.8.80x8742Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:41.625237942 CET192.168.2.48.8.8.80xd7b1Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:47.083993912 CET192.168.2.48.8.8.80x9c23Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:48.340528011 CET192.168.2.48.8.8.80x2b66Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:52.539551020 CET192.168.2.48.8.8.80x22a9Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:58.642716885 CET192.168.2.48.8.8.80x918dStandard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:59.445573092 CET192.168.2.48.8.8.80xdcb2Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                            Jan 8, 2021 18:31:04.066267967 CET192.168.2.48.8.8.80xa051Standard query (0)1.ispnano.dns-cloud.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 8, 2021 18:28:09.241352081 CET8.8.8.8192.168.2.40xd2b7No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:09.241352081 CET8.8.8.8192.168.2.40xd2b7No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:45.531147003 CET8.8.8.8192.168.2.40x6036No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:52.354598045 CET8.8.8.8192.168.2.40x7ee5No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:28:59.374864101 CET8.8.8.8192.168.2.40xb1d8No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:10.804574966 CET8.8.8.8192.168.2.40xb08fNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:18.260675907 CET8.8.8.8192.168.2.40x10e7No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:28.694567919 CET8.8.8.8192.168.2.40x2c6dNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:34.177614927 CET8.8.8.8192.168.2.40x43abNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:36.919483900 CET8.8.8.8192.168.2.40x35dfNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:36.919483900 CET8.8.8.8192.168.2.40x35dfNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:42.428167105 CET8.8.8.8192.168.2.40x7bc2No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:49.984771967 CET8.8.8.8192.168.2.40x451fNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:29:53.313792944 CET8.8.8.8192.168.2.40x7754No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                            Jan 8, 2021 18:29:58.986083984 CET8.8.8.8192.168.2.40x27bcNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:09.701236010 CET8.8.8.8192.168.2.40x2c86No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:15.868063927 CET8.8.8.8192.168.2.40x85baNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:24.535446882 CET8.8.8.8192.168.2.40x4a77No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:25.113856077 CET8.8.8.8192.168.2.40xc184No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:25.113856077 CET8.8.8.8192.168.2.40xc184No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:26.684256077 CET8.8.8.8192.168.2.40x4fNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:26.684256077 CET8.8.8.8192.168.2.40x4fNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:30.203305960 CET8.8.8.8192.168.2.40x241dNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:34.161103964 CET8.8.8.8192.168.2.40x1b2aNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:34.161103964 CET8.8.8.8192.168.2.40x1b2aNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:35.942862988 CET8.8.8.8192.168.2.40x8742No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:41.681348085 CET8.8.8.8192.168.2.40xd7b1No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:47.140379906 CET8.8.8.8192.168.2.40x9c23No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:48.388509989 CET8.8.8.8192.168.2.40x2b66No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:48.388509989 CET8.8.8.8192.168.2.40x2b66No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:52.587620974 CET8.8.8.8192.168.2.40x22a9No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:58.701703072 CET8.8.8.8192.168.2.40x918dNo error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:59.496325016 CET8.8.8.8192.168.2.40xdcb2No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:30:59.496325016 CET8.8.8.8192.168.2.40xdcb2No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                            Jan 8, 2021 18:31:04.125413895 CET8.8.8.8192.168.2.40xa051No error (0)1.ispnano.dns-cloud.net194.5.97.173A (IP address)IN (0x0001)

                                            HTTPS Packets

                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                            Jan 8, 2021 18:28:09.406292915 CET104.23.98.190443192.168.2.449728CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:29:37.316323996 CET104.23.99.190443192.168.2.449772CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:30:25.281522989 CET104.23.99.190443192.168.2.449784CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:30:26.827495098 CET104.23.98.190443192.168.2.449785CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:30:34.288294077 CET104.23.99.190443192.168.2.449787CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:30:48.537064075 CET104.23.98.190443192.168.2.449793CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025
                                            Jan 8, 2021 18:30:59.593247890 CET104.23.99.190443192.168.2.449798CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:46:39 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:46:39 CET 2020Wed Jan 01 00:59:59 CET 2025

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: shipping order#.exe PID: 5884 Parent PID: 1284

                                            General

                                            Start time:18:27:59
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\shipping order#.exe'
                                            Imagebase:0xc20000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            Analysis Process: powershell.exe PID: 5796 Parent PID: 5884

                                            General

                                            Start time:18:28:04
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 4984 Parent PID: 5796

                                            General

                                            Start time:18:28:05
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: powershell.exe PID: 5128 Parent PID: 5884

                                            General

                                            Start time:18:28:05
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Analysis Process: powershell.exe PID: 4944 Parent PID: 5884

                                            General

                                            Start time:18:28:05
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6684 Parent PID: 5128

                                            General

                                            Start time:18:28:05
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6828 Parent PID: 4944

                                            General

                                            Start time:18:28:06
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: powershell.exe PID: 6836 Parent PID: 5884

                                            General

                                            Start time:18:28:06
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6900 Parent PID: 6836

                                            General

                                            Start time:18:28:06
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 6996 Parent PID: 5884

                                            General

                                            Start time:18:28:09
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                            Imagebase:0x11d0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 7132 Parent PID: 6996

                                            General

                                            Start time:18:28:10
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: timeout.exe PID: 6948 Parent PID: 6996

                                            General

                                            Start time:18:28:10
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout 1
                                            Imagebase:0x30000
                                            File size:26112 bytes
                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 2460 Parent PID: 5884

                                            General

                                            Start time:18:28:13
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                            Imagebase:0x11d0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 7160 Parent PID: 2460

                                            General

                                            Start time:18:28:13
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6eb840000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: timeout.exe PID: 5136 Parent PID: 2460

                                            General

                                            Start time:18:28:13
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout 1
                                            Imagebase:0x30000
                                            File size:26112 bytes
                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: shipping order#.exe PID: 5812 Parent PID: 3424

                                            General

                                            Start time:18:28:16
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\shipping order#.exe'
                                            Imagebase:0x310000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            Analysis Process: cmd.exe PID: 4176 Parent PID: 5884

                                            General

                                            Start time:18:28:20
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                            Imagebase:0x11d0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: conhost.exe PID: 6812 Parent PID: 4176

                                            General

                                            Start time:18:28:21
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: timeout.exe PID: 7124 Parent PID: 4176

                                            General

                                            Start time:18:28:21
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout 1
                                            Imagebase:0x30000
                                            File size:26112 bytes
                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: shipping order#.exe PID: 6440 Parent PID: 3424

                                            General

                                            Start time:18:28:24
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\shipping order#.exe'
                                            Imagebase:0x490000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Analysis Process: shipping order#.exe PID: 6648 Parent PID: 5884

                                            General

                                            Start time:18:28:29
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\shipping order#.exe
                                            Imagebase:0xe60000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.953347947.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                            Analysis Process: shipping order#.exe PID: 6476 Parent PID: 3424

                                            General

                                            Start time:18:28:32
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\shipping order#.exe'
                                            Imagebase:0x120000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Analysis Process: WerFault.exe PID: 5824 Parent PID: 5884

                                            General

                                            Start time:18:28:38
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 2396
                                            Imagebase:0xac0000
                                            File size:434592 bytes
                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Analysis Process: shipping order#.exe PID: 408 Parent PID: 3424

                                            General

                                            Start time:18:28:41
                                            Start date:08/01/2021
                                            Path:C:\Users\user\Desktop\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\shipping order#.exe'
                                            Imagebase:0x530000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Analysis Process: shipping order#.exe PID: 5700 Parent PID: 3424

                                            General

                                            Start time:18:28:49
                                            Start date:08/01/2021
                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe'
                                            Imagebase:0x8b0000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 30%, ReversingLabs

                                            Analysis Process: dhcpmon.exe PID: 5392 Parent PID: 3424

                                            General

                                            Start time:18:29:03
                                            Start date:08/01/2021
                                            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                            Imagebase:0x9e0000
                                            File size:2818048 bytes
                                            MD5 hash:A916070DF947A28EA73074C080189D35
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 30%, ReversingLabs

                                            Analysis Process: powershell.exe PID: 1836 Parent PID: 5812

                                            General

                                            Start time:18:29:16
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Analysis Process: conhost.exe PID: 6308 Parent PID: 1836

                                            General

                                            Start time:18:29:16
                                            Start date:08/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff724c50000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language

                                            Analysis Process: powershell.exe PID: 2848 Parent PID: 5812

                                            General

                                            Start time:18:29:16
                                            Start date:08/01/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.exe' -Force
                                            Imagebase:0x380000
                                            File size:430592 bytes
                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET

                                            Disassembly

                                            Code Analysis

                                            Reset < >