Analysis Report Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

AV Detection:

Found malware configuration

Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}

Multi AV Scanner detection for submitted file

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Virustotal: Detection: 25%			Perma Link
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	ReversingLabs: Detection: 27%

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
Source:	Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4x nop then pop edi		4_2_0040E3A2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4x nop then pop edi		4_2_0040E44A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi		9_2_0309E3A2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi		9_2_0309E44A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.jaemagreci.com/blr/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 35.246.6.109 35.246.6.109
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP
Source: Joe Sandbox View	ASN Name: MULTA-ASN1US MULTA-ASN1US

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.kanaai.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 08:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a

Urls found in memory or binary data

Source: explorer.exe, 00000005.00000002.754895939.0000000004E61000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.com/blr/www.prodhealth.site
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carbeloy.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.com/blr/www.jaemagreci.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cvmjqcid.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/blr/www.olgadalila.com
Source: explorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gannahealing.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.com/blr/www.sweetpopntreatz.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jaemagreci.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.com/blr/j
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jasa-software.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.com/blr/www.cvmjqcid.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kanaai.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.com/blr/www.na230.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.kathrynbaierling.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.com/blr/www.soheilvaseghi.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.long9000.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.com/blr/www.jasa-software.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.na230.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.com/blr/www.zomapa.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.olgadalila.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.site/blr/www.stanchilo.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.prodhealth.siteReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.com/blr/www.gannahealing.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.soheilvaseghi.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.com/blr/www.yoshiyama-potager.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stanchilo.comReferer:
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.com/blr/www.long9000.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweetpopntreatz.comReferer:
Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.yoshiyama-potager.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com/blr/
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.com/blr/www.carbeloy.com
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	String found in binary or memory: http://www.zomapa.comReferer:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.cs	Long String: Length: 13656
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419D60 NtCreateFile,		4_2_00419D60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E10 NtReadFile,		4_2_00419E10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E90 NtClose,		4_2_00419E90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419F40 NtAllocateVirtualMemory,		4_2_00419F40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419E8C NtClose,		4_2_00419E8C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419F3A NtAllocateVirtualMemory,		4_2_00419F3A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,		4_2_01029910
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010299A0 NtCreateSection,LdrInitializeThunk,		4_2_010299A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029840 NtDelayExecution,LdrInitializeThunk,		4_2_01029840
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,		4_2_01029860
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,		4_2_010298F0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,		4_2_01029A00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A20 NtResumeThread,LdrInitializeThunk,		4_2_01029A20
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A50 NtCreateFile,LdrInitializeThunk,		4_2_01029A50
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029540 NtReadFile,LdrInitializeThunk,		4_2_01029540
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010295D0 NtClose,LdrInitializeThunk,		4_2_010295D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029710 NtQueryInformationToken,LdrInitializeThunk,		4_2_01029710
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029780 NtMapViewOfSection,LdrInitializeThunk,		4_2_01029780
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,		4_2_010297A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,		4_2_01029660
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,		4_2_010296E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029950 NtQueueApcThread,		4_2_01029950
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010299D0 NtCreateProcessEx,		4_2_010299D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029820 NtEnumerateKey,		4_2_01029820
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102B040 NtSuspendThread,		4_2_0102B040
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010298A0 NtWriteVirtualMemory,		4_2_010298A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029B00 NtSetValueKey,		4_2_01029B00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A3B0 NtGetContextThread,		4_2_0102A3B0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A10 NtQuerySection,		4_2_01029A10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029A80 NtOpenDirectoryObject,		4_2_01029A80
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029520 NtWaitForSingleObject,		4_2_01029520
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102AD30 NtSetContextThread,		4_2_0102AD30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029560 NtWriteFile,		4_2_01029560
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010295F0 NtQueryInformationFile,		4_2_010295F0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A710 NtOpenProcessToken,		4_2_0102A710
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029730 NtQueryVirtualMemory,		4_2_01029730
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029760 NtOpenProcess,		4_2_01029760
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029770 NtSetInformationFile,		4_2_01029770
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102A770 NtOpenThread,		4_2_0102A770
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029FE0 NtCreateMutant,		4_2_01029FE0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029610 NtEnumerateValueKey,		4_2_01029610
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029650 NtQueryValueKey,		4_2_01029650
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01029670 NtQueryInformationProcess,		4_2_01029670
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010296D0 NtCreateKey,		4_2_010296D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C695D0 NtClose,LdrInitializeThunk,		9_2_04C695D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69540 NtReadFile,LdrInitializeThunk,		9_2_04C69540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C696D0 NtCreateKey,LdrInitializeThunk,		9_2_04C696D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C696E0 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_04C696E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69650 NtQueryValueKey,LdrInitializeThunk,		9_2_04C69650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69660 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_04C69660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69FE0 NtCreateMutant,LdrInitializeThunk,		9_2_04C69FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69780 NtMapViewOfSection,LdrInitializeThunk,		9_2_04C69780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69710 NtQueryInformationToken,LdrInitializeThunk,		9_2_04C69710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69840 NtDelayExecution,LdrInitializeThunk,		9_2_04C69840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69860 NtQuerySystemInformation,LdrInitializeThunk,		9_2_04C69860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C699A0 NtCreateSection,LdrInitializeThunk,		9_2_04C699A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69910 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_04C69910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A50 NtCreateFile,LdrInitializeThunk,		9_2_04C69A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C695F0 NtQueryInformationFile,		9_2_04C695F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69560 NtWriteFile,		9_2_04C69560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69520 NtWaitForSingleObject,		9_2_04C69520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6AD30 NtSetContextThread,		9_2_04C6AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69670 NtQueryInformationProcess,		9_2_04C69670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69610 NtEnumerateValueKey,		9_2_04C69610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C697A0 NtUnmapViewOfSection,		9_2_04C697A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69760 NtOpenProcess,		9_2_04C69760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A770 NtOpenThread,		9_2_04C6A770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69770 NtSetInformationFile,		9_2_04C69770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A710 NtOpenProcessToken,		9_2_04C6A710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69730 NtQueryVirtualMemory,		9_2_04C69730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C698F0 NtReadVirtualMemory,		9_2_04C698F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C698A0 NtWriteVirtualMemory,		9_2_04C698A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6B040 NtSuspendThread,		9_2_04C6B040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69820 NtEnumerateKey,		9_2_04C69820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C699D0 NtCreateProcessEx,		9_2_04C699D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69950 NtQueueApcThread,		9_2_04C69950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A80 NtOpenDirectoryObject,		9_2_04C69A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A00 NtProtectVirtualMemory,		9_2_04C69A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A10 NtQuerySection,		9_2_04C69A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69A20 NtResumeThread,		9_2_04C69A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6A3B0 NtGetContextThread,		9_2_04C6A3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C69B00 NtSetValueKey,		9_2_04C69B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9F40 NtAllocateVirtualMemory,		9_2_030A9F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E10 NtReadFile,		9_2_030A9E10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E90 NtClose,		9_2_030A9E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9D60 NtCreateFile,		9_2_030A9D60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9F3A NtAllocateVirtualMemory,		9_2_030A9F3A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9E8C NtClose,		9_2_030A9E8C

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 0_2_028DC2B0		0_2_028DC2B0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 0_2_028D9990		0_2_028D9990
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040102F		4_2_0040102F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00401030		4_2_00401030
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D146		4_2_0041D146
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040117A		4_2_0040117A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041E229		4_2_0041E229
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D4D6		4_2_0041D4D6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00402D90		4_2_00402D90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409E40		4_2_00409E40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D625		4_2_0041D625
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409E3C		4_2_00409E3C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041D73F		4_2_0041D73F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00402FB0		4_2_00402FB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB090		4_2_00FFB090
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1002		4_2_010A1002
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B20A8		4_2_010B20A8
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEF900		4_2_00FEF900
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2B28		4_2_010B2B28
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101EBB0		4_2_0101EBB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B22AE		4_2_010B22AE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2D07		4_2_010B2D07
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1D55		4_2_010B1D55
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581		4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF841F		4_2_00FF841F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0		4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE0D20		4_2_00FE0D20
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1FF1		4_2_010B1FF1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01006E30		4_2_01006E30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B2EF7		4_2_010B2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CED466		9_2_04CED466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3841F		9_2_04C3841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF25DD		9_2_04CF25DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0		9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581		9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1D55		9_2_04CF1D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2D07		9_2_04CF2D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C20D20		9_2_04C20D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2EF7		9_2_04CF2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CED616		9_2_04CED616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C46E30		9_2_04C46E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1FF1		9_2_04CF1FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF28EC		9_2_04CF28EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B090		9_2_04C3B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF20A8		9_2_04CF20A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1002		9_2_04CE1002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2F900		9_2_04C2F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF22AE		9_2_04CF22AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEDBD2		9_2_04CEDBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5EBB0		9_2_04C5EBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF2B28		9_2_04CF2B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AE229		9_2_030AE229
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD146		9_2_030AD146
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03092FB0		9_2_03092FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD625		9_2_030AD625
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099E3C		9_2_03099E3C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099E40		9_2_03099E40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03092D90		9_2_03092D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030AD4D6		9_2_030AD4D6

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04C2B150 appears 35 times
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: String function: 00FEB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.236125503.00000000006C1000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243377494.0000000008A10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243638026.0000000008BE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.274332960.0000000000581000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275294499.000000000126F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.276581329.0000000002ECE000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Binary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Uses 32bit PE files

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains long base64-encoded strings

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/9

Creates files inside the user directory

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01

Launches a second explorer.exe instance

Source: unknown

Process created: C:\Windows\SysWOW64\explorer.exe

PE file has an executable .text section and no other executable section

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Sample is known by Antivirus

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Virustotal: Detection: 25%
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	ReversingLabs: Detection: 27%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
Source:	Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_004178B3 push edi; iretd		4_2_004178B4
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419AD3 push edx; iretd		4_2_00419AD5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00416A8A pushfd ; retf		4_2_00416A90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409B8D pushfd ; ret		4_2_00409B90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00417B8E push edi; ret		4_2_00417B9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00409B8D pushfd ; ret		4_2_00409B90
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00404443 push 0000007Bh; iretd		4_2_0040444C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0040E42C push ss; iretd		4_2_0040E42D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00419DB2 push es; iretd		4_2_00419DBD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041667E push edx; iretd		4_2_0041668C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CEB5 push eax; ret		4_2_0041CF08
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF6C push eax; ret		4_2_0041CF72
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF02 push eax; ret		4_2_0041CF08
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0041CF0B push eax; ret		4_2_0041CF72
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0103D0D1 push ecx; ret		4_2_0103D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C7D0D1 push ecx; ret		9_2_04C7D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03099B8D pushfd ; ret		9_2_03099B90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A7B8E push edi; ret		9_2_030A7B9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A6A8A pushfd ; retf		9_2_030A6A90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9AD3 push edx; iretd		9_2_030A9AD5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A78B3 push edi; iretd		9_2_030A78B4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF0B push eax; ret		9_2_030ACF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF02 push eax; ret		9_2_030ACF08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACF6C push eax; ret		9_2_030ACF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A667E push edx; iretd		9_2_030A668C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030ACEB5 push eax; ret		9_2_030ACF08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_030A9DB2 push es; iretd		9_2_030A9DBD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_0309E42C push ss; iretd		9_2_0309E42D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_03094443 push 0000007Bh; iretd		9_2_0309444C

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.45974448722

Persistence and Installation Behavior:

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

File created: \payment transfer copy of $274,876.00 for the invoice shipments.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEA

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512, type: MEMORY
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2a94cf8.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000030998E4 second address: 00000000030998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000003099B5E second address: 0000000003099B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6516	Thread sleep time: -99992s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5480	Thread sleep count: 84 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5480	Thread sleep time: -168000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep count: 36 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep time: -180000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.259257447.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.251785996.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.259520617.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000002.755874779.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Code function: 4_2_0040ACD0 LdrLoadDll,

4_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE58EC mov eax, dword ptr fs:[00000030h]		4_2_00FE58EC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01004120 mov ecx, dword ptr fs:[00000030h]		4_2_01004120
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]		4_2_0101513A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]		4_2_0101513A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]		4_2_0100B944
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]		4_2_0100B944
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9080 mov eax, dword ptr fs:[00000030h]		4_2_00FE9080
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C182 mov eax, dword ptr fs:[00000030h]		4_2_0100C182
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A185 mov eax, dword ptr fs:[00000030h]		4_2_0101A185
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012990 mov eax, dword ptr fs:[00000030h]		4_2_01012990
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010669A6 mov eax, dword ptr fs:[00000030h]		4_2_010669A6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]		4_2_010161A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]		4_2_010161A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]		4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]		4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]		4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]		4_2_010651BE
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]		4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]		4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]		4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]		4_2_00FFB02A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010741E8 mov eax, dword ptr fs:[00000030h]		4_2_010741E8
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]		4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]		4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]		4_2_01067016
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]		4_2_010B4015
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]		4_2_010B4015
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]		4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]		4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]		4_2_00FEB1E1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]		4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]		4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]		4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]		4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]		4_2_0101002D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]		4_2_01000050
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]		4_2_01000050
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A2073 mov eax, dword ptr fs:[00000030h]		4_2_010A2073
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B1074 mov eax, dword ptr fs:[00000030h]		4_2_010B1074
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]		4_2_01063884
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]		4_2_01063884
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]		4_2_00FEB171
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]		4_2_00FEB171
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC962 mov eax, dword ptr fs:[00000030h]		4_2_00FEC962
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]		4_2_010120A0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010290AF mov eax, dword ptr fs:[00000030h]		4_2_010290AF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov ecx, dword ptr fs:[00000030h]		4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]		4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]		4_2_0101F0BF
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0107B8D0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]		4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]		4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]		4_2_00FE9100
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A131B mov eax, dword ptr fs:[00000030h]		4_2_010A131B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]		4_2_00FFAAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]		4_2_00FFAAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8B58 mov eax, dword ptr fs:[00000030h]		4_2_010B8B58
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]		4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]		4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]		4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]		4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]		4_2_00FE52A5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]		4_2_01013B7A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]		4_2_01013B7A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A138A mov eax, dword ptr fs:[00000030h]		4_2_010A138A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109D380 mov ecx, dword ptr fs:[00000030h]		4_2_0109D380
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101B390 mov eax, dword ptr fs:[00000030h]		4_2_0101B390
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012397 mov eax, dword ptr fs:[00000030h]		4_2_01012397
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]		4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]		4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]		4_2_01014BAD
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B5BA5 mov eax, dword ptr fs:[00000030h]		4_2_010B5BA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]		4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]		4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]		4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]		4_2_00FE9240
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]		4_2_010653CA
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]		4_2_010653CA
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]		4_2_010103E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]		4_2_00FEAA16
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]		4_2_00FEAA16
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100DBE9 mov eax, dword ptr fs:[00000030h]		4_2_0100DBE9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]		4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov ecx, dword ptr fs:[00000030h]		4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]		4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]		4_2_00FE5210
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF8A0A mov eax, dword ptr fs:[00000030h]		4_2_00FF8A0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01003A1C mov eax, dword ptr fs:[00000030h]		4_2_01003A1C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]		4_2_01024A2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]		4_2_01024A2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01074257 mov eax, dword ptr fs:[00000030h]		4_2_01074257
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]		4_2_0109B260
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]		4_2_0109B260
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8A62 mov eax, dword ptr fs:[00000030h]		4_2_010B8A62
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]		4_2_00FF1B8F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]		4_2_00FF1B8F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0102927A mov eax, dword ptr fs:[00000030h]		4_2_0102927A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]		4_2_0101D294
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]		4_2_0101D294
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]		4_2_00FEDB60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEF358 mov eax, dword ptr fs:[00000030h]		4_2_00FEF358
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FAB0 mov eax, dword ptr fs:[00000030h]		4_2_0101FAB0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEDB40 mov eax, dword ptr fs:[00000030h]		4_2_00FEDB40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012ACB mov eax, dword ptr fs:[00000030h]		4_2_01012ACB
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012AE4 mov eax, dword ptr fs:[00000030h]		4_2_01012AE4
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0106A537 mov eax, dword ptr fs:[00000030h]		4_2_0106A537
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]		4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]		4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]		4_2_01014D3B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8D34 mov eax, dword ptr fs:[00000030h]		4_2_010B8D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01023D43 mov eax, dword ptr fs:[00000030h]		4_2_01023D43
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01063540 mov eax, dword ptr fs:[00000030h]		4_2_01063540
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01007D50 mov eax, dword ptr fs:[00000030h]		4_2_01007D50
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF849B mov eax, dword ptr fs:[00000030h]		4_2_00FF849B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]		4_2_0100C577
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]		4_2_0100C577
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]		4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]		4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]		4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]		4_2_01012581
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]		4_2_0101FD9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]		4_2_0101FD9B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010135A1 mov eax, dword ptr fs:[00000030h]		4_2_010135A1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]		4_2_010B05AC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]		4_2_010B05AC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]		4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]		4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]		4_2_01011DB5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov ecx, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]		4_2_01066DC9
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01098DF1 mov eax, dword ptr fs:[00000030h]		4_2_01098DF1
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]		4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]		4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]		4_2_010B740D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]		4_2_010A1C06
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]		4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]		4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]		4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]		4_2_01066C0A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]		4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]		4_2_00FFD5E0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101BC2C mov eax, dword ptr fs:[00000030h]		4_2_0101BC2C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A44B mov eax, dword ptr fs:[00000030h]		4_2_0101A44B
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]		4_2_0107C450
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]		4_2_0107C450
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100746D mov eax, dword ptr fs:[00000030h]		4_2_0100746D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]		4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]		4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]		4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]		4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]		4_2_00FE2D8A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]		4_2_00FF3D34
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEAD30 mov eax, dword ptr fs:[00000030h]		4_2_00FEAD30
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8CD6 mov eax, dword ptr fs:[00000030h]		4_2_010B8CD6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A14FB mov eax, dword ptr fs:[00000030h]		4_2_010A14FB
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]		4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]		4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]		4_2_01066CF0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]		4_2_010B070D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]		4_2_010B070D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]		4_2_0101A70E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]		4_2_0101A70E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100F716 mov eax, dword ptr fs:[00000030h]		4_2_0100F716
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]		4_2_0107FF10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]		4_2_0107FF10
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF76E2 mov eax, dword ptr fs:[00000030h]		4_2_00FF76E2
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101E730 mov eax, dword ptr fs:[00000030h]		4_2_0101E730
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8F6A mov eax, dword ptr fs:[00000030h]		4_2_010B8F6A
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF766D mov eax, dword ptr fs:[00000030h]		4_2_00FF766D
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]		4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]		4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]		4_2_01067794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]		4_2_00FF7E41
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEE620 mov eax, dword ptr fs:[00000030h]		4_2_00FEE620
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010237F5 mov eax, dword ptr fs:[00000030h]		4_2_010237F5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]		4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]		4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]		4_2_00FEC600
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01018E00 mov eax, dword ptr fs:[00000030h]		4_2_01018E00
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010A1608 mov eax, dword ptr fs:[00000030h]		4_2_010A1608
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]		4_2_0101A61C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]		4_2_0101A61C
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109FE3F mov eax, dword ptr fs:[00000030h]		4_2_0109FE3F
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FF8794 mov eax, dword ptr fs:[00000030h]		4_2_00FF8794
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]		4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]		4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]		4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]		4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]		4_2_0100AE73
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0107FE87 mov eax, dword ptr fs:[00000030h]		4_2_0107FE87
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFFF60 mov eax, dword ptr fs:[00000030h]		4_2_00FFFF60
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010646A7 mov eax, dword ptr fs:[00000030h]		4_2_010646A7
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]		4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]		4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]		4_2_010B0EA5
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FFEF40 mov eax, dword ptr fs:[00000030h]		4_2_00FFEF40
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_01028EC7 mov eax, dword ptr fs:[00000030h]		4_2_01028EC7
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_0109FEC0 mov eax, dword ptr fs:[00000030h]		4_2_0109FEC0
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010136CC mov eax, dword ptr fs:[00000030h]		4_2_010136CC
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]		4_2_00FE4F2E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]		4_2_00FE4F2E
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010B8ED6 mov eax, dword ptr fs:[00000030h]		4_2_010B8ED6
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Code function: 4_2_010116E0 mov ecx, dword ptr fs:[00000030h]		4_2_010116E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8CD6 mov eax, dword ptr fs:[00000030h]		9_2_04CF8CD6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE14FB mov eax, dword ptr fs:[00000030h]		9_2_04CE14FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]		9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]		9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]		9_2_04CA6CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3849B mov eax, dword ptr fs:[00000030h]		9_2_04C3849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A44B mov eax, dword ptr fs:[00000030h]		9_2_04C5A44B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]		9_2_04CBC450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]		9_2_04CBC450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4746D mov eax, dword ptr fs:[00000030h]		9_2_04C4746D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]		9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]		9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]		9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]		9_2_04CA6C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]		9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]		9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]		9_2_04CF740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]		9_2_04CE1C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5BC2C mov eax, dword ptr fs:[00000030h]		9_2_04C5BC2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov ecx, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]		9_2_04CA6DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]		9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]		9_2_04C3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]		9_2_04CEFDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CD8DF1 mov eax, dword ptr fs:[00000030h]		9_2_04CD8DF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]		9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]		9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]		9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]		9_2_04C52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]		9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]		9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]		9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]		9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]		9_2_04C22D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]		9_2_04C5FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]		9_2_04C5FD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]		9_2_04CF05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]		9_2_04CF05AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C535A1 mov eax, dword ptr fs:[00000030h]		9_2_04C535A1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]		9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]		9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]		9_2_04C51DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C63D43 mov eax, dword ptr fs:[00000030h]		9_2_04C63D43
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3540 mov eax, dword ptr fs:[00000030h]		9_2_04CA3540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C47D50 mov eax, dword ptr fs:[00000030h]		9_2_04C47D50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]		9_2_04C4C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]		9_2_04C4C577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AD30 mov eax, dword ptr fs:[00000030h]		9_2_04C2AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]		9_2_04C33D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEE539 mov eax, dword ptr fs:[00000030h]		9_2_04CEE539
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8D34 mov eax, dword ptr fs:[00000030h]		9_2_04CF8D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CAA537 mov eax, dword ptr fs:[00000030h]		9_2_04CAA537
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]		9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]		9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]		9_2_04C54D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C68EC7 mov eax, dword ptr fs:[00000030h]		9_2_04C68EC7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C536CC mov eax, dword ptr fs:[00000030h]		9_2_04C536CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDFEC0 mov eax, dword ptr fs:[00000030h]		9_2_04CDFEC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8ED6 mov eax, dword ptr fs:[00000030h]		9_2_04CF8ED6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C376E2 mov eax, dword ptr fs:[00000030h]		9_2_04C376E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C516E0 mov ecx, dword ptr fs:[00000030h]		9_2_04C516E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFE87 mov eax, dword ptr fs:[00000030h]		9_2_04CBFE87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]		9_2_04CF0EA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA46A7 mov eax, dword ptr fs:[00000030h]		9_2_04CA46A7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]		9_2_04C37E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]		9_2_04CEAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]		9_2_04CEAE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3766D mov eax, dword ptr fs:[00000030h]		9_2_04C3766D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]		9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]		9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]		9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]		9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]		9_2_04C4AE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]		9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]		9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]		9_2_04C2C600
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C58E00 mov eax, dword ptr fs:[00000030h]		9_2_04C58E00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE1608 mov eax, dword ptr fs:[00000030h]		9_2_04CE1608
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]		9_2_04C5A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]		9_2_04C5A61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2E620 mov eax, dword ptr fs:[00000030h]		9_2_04C2E620
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDFE3F mov eax, dword ptr fs:[00000030h]		9_2_04CDFE3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C637F5 mov eax, dword ptr fs:[00000030h]		9_2_04C637F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C38794 mov eax, dword ptr fs:[00000030h]		9_2_04C38794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]		9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]		9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]		9_2_04CA7794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3EF40 mov eax, dword ptr fs:[00000030h]		9_2_04C3EF40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3FF60 mov eax, dword ptr fs:[00000030h]		9_2_04C3FF60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8F6A mov eax, dword ptr fs:[00000030h]		9_2_04CF8F6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]		9_2_04CF070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]		9_2_04CF070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]		9_2_04C5A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]		9_2_04C5A70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4F716 mov eax, dword ptr fs:[00000030h]		9_2_04C4F716
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]		9_2_04CBFF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]		9_2_04CBFF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]		9_2_04C24F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]		9_2_04C24F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5E730 mov eax, dword ptr fs:[00000030h]		9_2_04C5E730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov ecx, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]		9_2_04CBB8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C258EC mov eax, dword ptr fs:[00000030h]		9_2_04C258EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29080 mov eax, dword ptr fs:[00000030h]		9_2_04C29080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]		9_2_04CA3884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]		9_2_04CA3884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]		9_2_04C520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C690AF mov eax, dword ptr fs:[00000030h]		9_2_04C690AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov ecx, dword ptr fs:[00000030h]		9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]		9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]		9_2_04C5F0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]		9_2_04C40050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]		9_2_04C40050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF1074 mov eax, dword ptr fs:[00000030h]		9_2_04CF1074
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CE2073 mov eax, dword ptr fs:[00000030h]		9_2_04CE2073
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]		9_2_04CF4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]		9_2_04CF4015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]		9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]		9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]		9_2_04CA7016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]		9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]		9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]		9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]		9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]		9_2_04C5002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]		9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]		9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]		9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]		9_2_04C3B02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CB41E8 mov eax, dword ptr fs:[00000030h]		9_2_04CB41E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]		9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]		9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]		9_2_04C2B1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5A185 mov eax, dword ptr fs:[00000030h]		9_2_04C5A185
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4C182 mov eax, dword ptr fs:[00000030h]		9_2_04C4C182
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52990 mov eax, dword ptr fs:[00000030h]		9_2_04C52990
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]		9_2_04C561A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]		9_2_04C561A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA69A6 mov eax, dword ptr fs:[00000030h]		9_2_04CA69A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]		9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]		9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]		9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]		9_2_04CA51BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]		9_2_04C4B944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]		9_2_04C4B944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2C962 mov eax, dword ptr fs:[00000030h]		9_2_04C2C962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]		9_2_04C2B171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]		9_2_04C2B171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]		9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]		9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]		9_2_04C29100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C44120 mov ecx, dword ptr fs:[00000030h]		9_2_04C44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]		9_2_04C5513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]		9_2_04C5513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52ACB mov eax, dword ptr fs:[00000030h]		9_2_04C52ACB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C52AE4 mov eax, dword ptr fs:[00000030h]		9_2_04C52AE4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]		9_2_04C5D294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]		9_2_04C5D294
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]		9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]		9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]		9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]		9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]		9_2_04C252A5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]		9_2_04C3AAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]		9_2_04C3AAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C5FAB0 mov eax, dword ptr fs:[00000030h]		9_2_04C5FAB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]		9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]		9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]		9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]		9_2_04C29240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CEEA55 mov eax, dword ptr fs:[00000030h]		9_2_04CEEA55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CB4257 mov eax, dword ptr fs:[00000030h]		9_2_04CB4257
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]		9_2_04CDB260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]		9_2_04CDB260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CF8A62 mov eax, dword ptr fs:[00000030h]		9_2_04CF8A62
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C6927A mov eax, dword ptr fs:[00000030h]		9_2_04C6927A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C38A0A mov eax, dword ptr fs:[00000030h]		9_2_04C38A0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]		9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov ecx, dword ptr fs:[00000030h]		9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]		9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]		9_2_04C25210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]		9_2_04C2AA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]		9_2_04C2AA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C43A1C mov eax, dword ptr fs:[00000030h]		9_2_04C43A1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]		9_2_04C64A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]		9_2_04C64A2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]		9_2_04CA53CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]		9_2_04CA53CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]		9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]		9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]		9_2_04C503E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]		9_2_04C503E2

Enables debug privileges

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 210.152.86.132 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.52.105.123 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.116.112.43 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 176.74.27.137 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.199.108.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.144.220 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.27.88.111 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Memory written: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 330000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Process created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000002.741529190.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp, explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE